I have dashboard panel with a dropdown menu on it. When the user selects a category from the dropdown, it will be stored in the variable $category$.
Based on the category selected by the user, I want to apply a regular expression to the "name" field in my search.
For example, if the user selects the category "category1", then I want to apply the regular expression "^(my|reg|ex)" to the "name" field in my search.
Here's what I tried:
sourcetype = mysourcetype | eval catregex = case(match($app_category$,"category1"),"^(my|reg|ex)" | regex name = catregex
This is not working. I'm thinking that the problem is with the command regex name = catregex
regex name = catregex
Maybe the field/variable that I created, catregex, is being interpreted as a string in that context? If so, how can I make sure it's interpreted as a variable?
I also tried something like this with regex command, but it seems this is not possible:
regex name = case(match($app_category$,"category1"),"^(my|reg|ex)"
Any help would be greatly appreciated!
Thanks, fellow Splunkers!
can you try to cast the variable in a field with an eval first ?
sourcetype = mysourcetype | eval mycategory=$app_category$ | eval catregex = case(match(mycategory,"category1"),"^(my|reg|ex)" | regex name = catregex
I eventually figured this one out. The fix is to put $app_category$ in double quotes:
View solution in original post