Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: issue with Case statement when using multiple ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the below search query which gives good result but when used in dashboard it says "Search is waiting for input",
but when I remove the Rex from second statement it works in dashboard
index=app-axxfer-restricted queryType="ts"
(
((filename=RECON* NOT filename=RECON*.txt) "siteName=Send RECON file") OR
((filename=RECON* NOT filename=RECON*.txt) "siteName=Facets to Prod Mark")
)
|eval type =case(
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Send%")),"Files received from NASCO",
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"
)|timechart span=1d count by type
this works only when I remove the rex as below...but this is No good for me
(match(filename,"RECON") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"
can you please tell me what to do for the Case statement so that it works in Dashboard even if I use multiple rex .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple of alternatives here to simplify the overall search string.
index=app-axxfer-restricted queryType="ts"
(
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark")
)
| eval type=case(
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Send%"),"Files received from NASCO",
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Facets%"), "FACETS Files sent to CVS",
1==1,"Unknown"
)
| timechart span=1d count by type
If you have tested the file name in the base search, you should not need to test it again in the eval - unless you want to eliminate more of the results. In the search above, I added a "catch-all" to the case statement to pick up any cases that don't match your pattern. But if you know that everything should match one of the first two cases, you can simplify further:
index=app-axxfer-restricted queryType="ts"
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark")
| eval type=case(like(siteName,"Send%"),"Files received from NASCO",
like(siteName,"Facets%"), "FACETS Files sent to CVS",
1==1,"Unknown" )
| timechart span=1d count by type
Although you could perhaps remove the third condition in the case statement - I wouldn't. It is a great way to catch something you might have missed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion...but my search string has various other files too with the same "siteName" hence I had to use both "filename" and "sitename".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My guess is, its the $ sigh. Try removing that in your rex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks Sundar, it worked !!
not sure why "$" worked when used in Search string but not in dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Converted to an answer so it can be "Accepted" since this seemed to be the right answer.
The explanation (I'd guess) is that $ is a special character in a dashboard and so maybe those two dollar signs were being interpreted as tokens and Splunk was trying to use ") AND like(siteName,"%Send%")),"Files received from NASCO", (match(filename,"RECON+.\d+.\d+ as a variable with substitution (like $time_tok).
You MIGHT be able to escape each - blah blah \$ blah blah to get around this as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you you escape with two $, like this $$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is a PCRE-type regular expression; I don't think you can escape one dollar sign with two. Proper regex syntax is that backslash is the escape character. But it looks like the dollar sign was unneeded anyway.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
