Dashboards & Visualizations

issue with Case statement when using multiple rex

prakashbhanu407
New Member

I have the below search query which gives good result but when used in dashboard it says "Search is waiting for input",
but when I remove the Rex from second statement it works in dashboard

index=app-axxfer-restricted queryType="ts"

(
((filename=RECON* NOT filename=RECON*.txt) "siteName=Send RECON file") OR

((filename=RECON* NOT filename=RECON*.txt) "siteName=Facets to Prod Mark")
)
|eval type =case(
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Send%")),"Files received from NASCO",
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"

)|timechart span=1d count by type

this works only when I remove the rex as below...but this is No good for me
(match(filename,"RECON") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"

can you please tell me what to do for the Case statement so that it works in Dashboard even if I use multiple rex .

0 Karma
1 Solution

sundareshr
Legend

My guess is, its the $ sigh. Try removing that in your rex

View solution in original post

lguinn2
Legend

There are a couple of alternatives here to simplify the overall search string.

index=app-axxfer-restricted queryType="ts" 
(
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark") 
) 
| eval type=case(
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Send%"),"Files received from NASCO",
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Facets%"), "FACETS Files sent to CVS",
1==1,"Unknown"
)
| timechart span=1d count by type

If you have tested the file name in the base search, you should not need to test it again in the eval - unless you want to eliminate more of the results. In the search above, I added a "catch-all" to the case statement to pick up any cases that don't match your pattern. But if you know that everything should match one of the first two cases, you can simplify further:

index=app-axxfer-restricted queryType="ts" 
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark") 
| eval type=case(like(siteName,"Send%"),"Files received from NASCO",
            like(siteName,"Facets%"), "FACETS Files sent to CVS",
            1==1,"Unknown" )
| timechart span=1d count by type

Although you could perhaps remove the third condition in the case statement - I wouldn't. It is a great way to catch something you might have missed.

0 Karma

prakashbhanu407
New Member

Thanks for the suggestion...but my search string has various other files too with the same "siteName" hence I had to use both "filename" and "sitename".

0 Karma

sundareshr
Legend

My guess is, its the $ sigh. Try removing that in your rex

prakashbhanu407
New Member

thanks Sundar, it worked !!

not sure why "$" worked when used in Search string but not in dashboard.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Converted to an answer so it can be "Accepted" since this seemed to be the right answer.

The explanation (I'd guess) is that $ is a special character in a dashboard and so maybe those two dollar signs were being interpreted as tokens and Splunk was trying to use ") AND like(siteName,"%Send%")),"Files received from NASCO", (match(filename,"RECON+.\d+.\d+ as a variable with substitution (like $time_tok).

You MIGHT be able to escape each - blah blah \$ blah blah to get around this as well.

0 Karma

sundareshr
Legend

I think you you escape with two $, like this $$

0 Karma

lguinn2
Legend

It is a PCRE-type regular expression; I don't think you can escape one dollar sign with two. Proper regex syntax is that backslash is the escape character. But it looks like the dollar sign was unneeded anyway.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...