Hello all,

Its the first time I actually post a question in here, since most topics are documented quite well and many questions have already been asked and answered. However I finally found an issue that I cannot find any answer to....

I guess that splunk is not designed for that but I nevertheless want to build sth. like this:

I´m currently building a dashboard that serves besides other purposes as a documentation site for adding new values or modifying them (in a csv lookup file).

The issue I now got is that although creating a query for creating new entries (via | makeresults... etc.) and a separate one for modifying existing entries, Its not possible for me to combine them into one and switching inbetween the two functions based on a value provided by an input field.

I´ve so far tried the following as a "switch function":

| eval var=case(switch="yes","| append [| makeresults | eval ExternalId=",switch="no","| search ExternalId=",1==1,"| append [| makeresults | eval ExternalId=")

In a second attempt I´ve put the whole case dependant part into the variable, eg.:

| append [| makeresults | eval DisplayName="$displayname$" | eval ExternalId="$location$" | eval Address="$address$" 
| eval Location_type="$location_type$" | eval Primary_contact="$primary_contact$" | eval Secondary_contact="$secondary_contact$" 
| eval Regional_manager="$regional_manager$" | eval spoc="$spoc$" | eval subnets="$subnets$"]

However in this case splunk takes the variable references as literates and creates an entry that looks as follows:

I´ve tried the known escape chars etc. but nothing worked.

Do you have any Ideas on how to solve this issue?

Many thanks ahead.