How to match() End of Line in a token query?

pbarna — Wed, 09 Feb 2022 19:49:50 GMT

I ended up using a slightly different solution involving match for the case criteria. Since the query inputs are being provided by token values to a Splunk Studio dashboard, I would not be able to properly break up and quote each term of a multi-value text input. By using match, I can just tell users to use | as a separator instead and run a search like:

| eval state=case(match(foo, "^($foo_token$)$") AND match(bar, "^($bar_token$)$"), 1, NOT match(foo, "^($foo_token$)$") AND NOT match(bar, "^($bar_token$)$"), 2, 1=1, 0)

However, the table cannot run this search. Even if both foo and bar have input values, the table shows "Waiting for input."
If I escape the end-of-line match character like $$ or like \$, I see the same "Waiting for input."
If I use only:

| eval state=case(match(foo, "^($foo_token$)$"), 1, 1=1, 0)

The search runs and produces expected results, so it seems to be a problem with having 2 or more $s.

I want to search for whole-line values of fields only. How can I do this?

Re: How to match() End of Line in a token query?

pbarna — Wed, 09 Feb 2022 22:05:27 GMT

What I ended up doing as a workaround:

index="data"
| eval foo_state=if(match(foo, "^($foo_token$)$"), 1, 0)
| eval bar_state=if(match(bar, "^($bar_token$)$"), 1, 0)
| eval state=if(foo_state=1, if(bar_state=1, 1, 0), if(bar_state=0, 2, 0))

topic Re: How to match() End of Line in a token query? in Dashboards & Visualizations

How to match() End of Line in a token query?

Re: How to match() End of Line in a token query?