Hello all,
Its the first time I actually post a question in here, since most topics are documented quite well and many questions have already been asked and answered. However I finally found an issue that I cannot find any answer to....
I guess that splunk is not designed for that but I nevertheless want to build sth. like this:
I´m currently building a dashboard that serves besides other purposes as a documentation site for adding new values or modifying them (in a csv lookup file).
The issue I now got is that although creating a query for creating new entries (via | makeresults... etc.) and a separate one for modifying existing entries, Its not possible for me to combine them into one and switching inbetween the two functions based on a value provided by an input field.
I´ve so far tried the following as a "switch function":
| eval var=case(switch="yes","| append [| makeresults | eval ExternalId=",switch="no","| search ExternalId=",1==1,"| append [| makeresults | eval ExternalId=")
In a second attempt I´ve put the whole case dependant part into the variable, eg.:
| append [| makeresults | eval DisplayName="$displayname$" | eval ExternalId="$location$" | eval Address="$address$"
| eval Location_type="$location_type$" | eval Primary_contact="$primary_contact$" | eval Secondary_contact="$secondary_contact$"
| eval Regional_manager="$regional_manager$" | eval spoc="$spoc$" | eval subnets="$subnets$"]
However in this case splunk takes the variable references as literates and creates an entry that looks as follows:
$displayname$ | $location$ | $address$ | $location_type$ | $primary_contact$ | $secondary_contact$ | $regional_manager$ | $spoc$ | $subnets$ |
I´ve tried the known escape chars etc. but nothing worked.
Do you have any Ideas on how to solve this issue?
Many thanks ahead.