Dashboards & Visualizations

issue with Case statement when using multiple rex

New Member

I have the below search query which gives good result but when used in dashboard it says "Search is waiting for input",
but when I remove the Rex from second statement it works in dashboard

index=app-axxfer-restricted queryType="ts"

(
((filename=RECON* NOT filename=RECON*.txt) "siteName=Send RECON file") OR

((filename=RECON* NOT filename=RECON*.txt) "siteName=Facets to Prod Mark")
)
|eval type =case(
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Send%")),"Files received from NASCO",
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"

)|timechart span=1d count by type

this works only when I remove the rex as below...but this is No good for me
(match(filename,"RECON") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"

can you please tell me what to do for the Case statement so that it works in Dashboard even if I use multiple rex .

0 Karma
1 Solution

Legend

My guess is, its the $ sigh. Try removing that in your rex

View solution in original post

Legend

There are a couple of alternatives here to simplify the overall search string.

index=app-axxfer-restricted queryType="ts" 
(
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark") 
) 
| eval type=case(
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Send%"),"Files received from NASCO",
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Facets%"), "FACETS Files sent to CVS",
1==1,"Unknown"
)
| timechart span=1d count by type

If you have tested the file name in the base search, you should not need to test it again in the eval - unless you want to eliminate more of the results. In the search above, I added a "catch-all" to the case statement to pick up any cases that don't match your pattern. But if you know that everything should match one of the first two cases, you can simplify further:

index=app-axxfer-restricted queryType="ts" 
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark") 
| eval type=case(like(siteName,"Send%"),"Files received from NASCO",
            like(siteName,"Facets%"), "FACETS Files sent to CVS",
            1==1,"Unknown" )
| timechart span=1d count by type

Although you could perhaps remove the third condition in the case statement - I wouldn't. It is a great way to catch something you might have missed.

0 Karma

New Member

Thanks for the suggestion...but my search string has various other files too with the same "siteName" hence I had to use both "filename" and "sitename".

0 Karma

Legend

My guess is, its the $ sigh. Try removing that in your rex

View solution in original post

New Member

thanks Sundar, it worked !!

not sure why "$" worked when used in Search string but not in dashboard.

0 Karma

SplunkTrust
SplunkTrust

Converted to an answer so it can be "Accepted" since this seemed to be the right answer.

The explanation (I'd guess) is that $ is a special character in a dashboard and so maybe those two dollar signs were being interpreted as tokens and Splunk was trying to use ") AND like(siteName,"%Send%")),"Files received from NASCO", (match(filename,"RECON+.\d+.\d+ as a variable with substitution (like $time_tok).

You MIGHT be able to escape each - blah blah \$ blah blah to get around this as well.

0 Karma

Legend

I think you you escape with two $, like this $$

0 Karma

Legend

It is a PCRE-type regular expression; I don't think you can escape one dollar sign with two. Proper regex syntax is that backslash is the escape character. But it looks like the dollar sign was unneeded anyway.

0 Karma