Hi all,
I am quite new to Splunk and now trying to create a dashboard panel using a query that does the following:
pulls the required fields from an index based on textfield input
checks on o...
See more...
Hi all,
I am quite new to Splunk and now trying to create a dashboard panel using a query that does the following:
pulls the required fields from an index based on textfield input
checks on one specific field "opsID" from the index against a field "code" in a csv i uploaded
if it is present in the csv, I just want to return a simple output that I could use to display in a table form
The csv looks something like this:
code, notes 123, User 456, Admin 789, User
Example of my query:
index=userdatabase "abc12345" | eval abc=[|inputlookup Lookup.csv | where code=opsID| fields notes] | eval isPresent=if(abc!="", YES, NO) | table username, isPresent
However I am getting errors like Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'. I tried for a few days can't seem to figure it out my mistake, hence hoping for some help over my basic question.. I got a feeling my logic could be wrong to begin with