×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
brandonworkenti
New Member
Member since: ‎12-29-2017
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-29-2017
Activity Feed
View All

How to use variables with wildcards in a search

by in Splunk Dev
‎12-29-2017 01:02 PM
‎12-29-2017 01:02 PM
Hello, I'm attempting to use a drilldown to search. The original search renamed some fields in order to improve the display in the dashboard, and so in the drilldown search query I'm attempting to do something like (the search includes a wildcard): eval searchTerm = case("Renamed Value One", "value1*", "Renamed Value Two", "value2*") This is causing the search to not return any results. I think the eval statement is where it's not working as I expect. If I do: sourcetype="index" | spath typeId | search typeId=value1* ... then I get the results I expect. But if I use: sourcetype="index" | eval new_typeId=value1* | spath typeId | search typeId=new_typeId ... then no results are returned. (I tried both with and without the spath command I used this answer https://answers.splunk.com/answers/494424/search-using-variables.html as the model for it, but that uses where , which does not allow for wildcards. How can I use the variable later in a search, when it contains a wildcard? Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM