Hey Gurus
I have a conundrum here regarding a Dashboard Studio board I'm working on to show Infoblox zone transaction details.
I'm trying to write queries that allow for either passing a grid site name or leave it blank and show global stats. Normally, the default value for a token is "*" and that works perfectly with splunk's host wildcard.
However, for some reason, you decided to use a different wildcard for the "where like" function, that being "%". This messes up a query I have when not passing a value for site. Fe. the following query works out as desired when I pass token "sf01-ibsn-c01n" for macro_site:
where new_serial="$macro_serial$" AND like(client_resolved, "$macro_site$%")
It interpolates it as :
where new_serial="2654170934" AND like(client_resolved, "sf01-ibsn-c01n%")
Of course, when I don't pass a site, the query turns into garbage:
where new_serial="2654170934" AND like(client_resolved, "*%")
I cannot change the default value to "%", since now the host wildcard is messed up. I basically need either two conditional defaults or, perhaps, some dash/xml logic to deal with this ?
Any help would be appreciated.
Thank you !
Answering my own question here. I fixed it. Didn't realize that "search" can also take k/v so I dont even need "where" at all. Luckily, "search" takes regular wildcards 🙂
| search client_resolved="$macro_site$*"