Splunk Search
Highlighted

Wildcard value in condition

Communicator

As I want to keep my dashboards as dynamic as possible I am trying to avoid writing specific conditions where as...

<condition value="object*">

instead of

<condition value="object1">
<condition value"object2">

... and so forth would be nice to avoid. Sadly it appears as if Splunk parses the asterisk as an actual asterisk and not a wildcard. Am I doing something wrong or is this not possible?

Thank you.

Tags (3)
0 Karma
Highlighted

Re: Wildcard value in condition

SplunkTrust
SplunkTrust

With my limited experience with 'condition', I would say that it's not possible. Could you post your input control xml where you're trying to use this wildcard condition?

0 Karma
Highlighted

Re: Wildcard value in condition

Communicator
<input type="dropdown" searchWhenChanged="false" token="form.city">
  <label>Change city:</label>
  <search>
    <query>index=geoData city| top city | sort city| fields city</query>
  </search>
  <choice value='era*'>All cities</choice>
  <fieldForLabel>city</fieldForLabel>
  <fieldForValue>city</fieldForValue>
  <default>$form.city$</default> <!-- This is for setting default to value passed from parent dashboard.

  <change>
    <condition value='"euro*'>
      <set token="geoLoc">1</set>
    </condition>
    <condition value='usa*'>
      <set token="geroLoc">2</set>
    </condition>
  </change>

</input>
0 Karma
Highlighted

Re: Wildcard value in condition

SplunkTrust
SplunkTrust

And you want to display actual city names in the dropdown, correct? I don't have a solution to that yet, but you can use a subsearch to get the value of geoLoc wherever it's to be used, based on the value of citi with wildcard. A sample search could be like this

index=something sourcetype=something [| gentimes start=-1 | eval geoLoc=case(like("$form.city$","euro%"),1,like("$form.city$","usa%"),2,1=1,null()) | table geoLoc] ...| rest of the search
0 Karma
Highlighted

Re: Wildcard value in condition

Communicator

I actually managed to create an ugly workaround:

Since Splunk simple XML does not differentiate between object* and * I had to reverse the logic by making "*" specific to * and anything else not specific to *. The code looks like this:

    <input type="dropdown" searchWhenChanged="true" token="form.city">
      <label>Change city:</label>
      <search>
        <query>index=os city | top city| sort city| fields city</query>
      </search>

      <choice value='[search index=geoLoc | eval magicString="*" | return $magicString]'>All</choice>
      <fieldForLabel>city</fieldForLabel>
      <fieldForValue>city</fieldForValue>
      <default>$form.city$</default>

      <change>
        <condition value='[search index=geoLoc | eval magicString="*" | return $magicString]'>
          <set token="form.object">euro</set>
        </condition>
        <condition value='*'>
          <set token="form.object">usa</set>
        </condition>
      </change>

Probably difficult to understand but to someone with the same problem this might be of some value. This of course only works if euro applies to * and USA to everything else but it could probably be further modified by adding more magic strings.

View solution in original post