I have the below search query which gives good result but when used in dashboard it says "Search is waiting for input",
but when I remove the Rex from second statement it works in dashboard
index=app-axxfer-restricted queryType="ts"
(
((filename=RECON* NOT filename=RECON*.txt) "siteName=Send RECON file") OR
((filename=RECON* NOT filename=RECON*.txt) "siteName=Facets to Prod Mark")
)
|eval type =case(
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Send%")),"Files received from NASCO",
(match(filename,"RECON+.\d+.\d+$") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"
)|timechart span=1d count by type
this works only when I remove the rex as below...but this is No good for me
(match(filename,"RECON") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"
can you please tell me what to do for the Case statement so that it works in Dashboard even if I use multiple rex .
There are a couple of alternatives here to simplify the overall search string.
index=app-axxfer-restricted queryType="ts"
(
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark")
)
| eval type=case(
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Send%"),"Files received from NASCO",
match(filename,"RECON+.\d+.\d+$") AND like(siteName,"Facets%"), "FACETS Files sent to CVS",
1==1,"Unknown"
)
| timechart span=1d count by type
If you have tested the file name in the base search, you should not need to test it again in the eval - unless you want to eliminate more of the results. In the search above, I added a "catch-all" to the case statement to pick up any cases that don't match your pattern. But if you know that everything should match one of the first two cases, you can simplify further:
index=app-axxfer-restricted queryType="ts"
(filename=RECON* NOT filename=RECON*.txt "siteName=Send RECON file") OR
(filename=RECON* NOT filename=RECON*.txt "siteName=Facets to Prod Mark")
| eval type=case(like(siteName,"Send%"),"Files received from NASCO",
like(siteName,"Facets%"), "FACETS Files sent to CVS",
1==1,"Unknown" )
| timechart span=1d count by type
Although you could perhaps remove the third condition in the case statement - I wouldn't. It is a great way to catch something you might have missed.
Thanks for the suggestion...but my search string has various other files too with the same "siteName" hence I had to use both "filename" and "sitename".
My guess is, its the $ sigh. Try removing that in your rex
thanks Sundar, it worked !!
not sure why "$" worked when used in Search string but not in dashboard.
Converted to an answer so it can be "Accepted" since this seemed to be the right answer.
The explanation (I'd guess) is that $ is a special character in a dashboard and so maybe those two dollar signs were being interpreted as tokens and Splunk was trying to use ") AND like(siteName,"%Send%")),"Files received from NASCO", (match(filename,"RECON+.\d+.\d+
as a variable with substitution (like $time_tok
).
You MIGHT be able to escape each - blah blah \$ blah blah
to get around this as well.
I think you you escape with two $
, like this $$
It is a PCRE-type regular expression; I don't think you can escape one dollar sign with two. Proper regex syntax is that backslash is the escape character. But it looks like the dollar sign was unneeded anyway.