Hello all, Its the first time I actually post a question in here, since most topics are documented quite well and many questions have already been asked and answered. However I finally found an issue that I cannot find any answer to.... I guess that splunk is not designed for that but I nevertheless want to build sth. like this: I´m currently building a dashboard that serves besides other purposes as a documentation site for adding new values or modifying them (in a csv lookup file). The issue I now got is that although creating a query for creating new entries (via | makeresults... etc.) and a separate one for modifying existing entries, Its not possible for me to combine them into one and switching inbetween the two functions based on a value provided by an input field. I´ve so far tried the following as a "switch function":       | eval var=case(switch="yes","| append [| makeresults | eval ExternalId=",switch="no","| search ExternalId=",1==1,"| append [| makeresults | eval ExternalId=")       In a second attempt I´ve put the whole case dependant part into the variable, eg.:       | append [| makeresults | eval DisplayName="$displayname$" | eval ExternalId="$location$" | eval Address="$address$" | eval Location_type="$location_type$" | eval Primary_contact="$primary_contact$" | eval Secondary_contact="$secondary_contact$" | eval Regional_manager="$regional_manager$" | eval spoc="$spoc$" | eval subnets="$subnets$"]       However in this case splunk takes the variable references as literates and creates an entry that looks as follows: $displayname$ $location$ $address$ $location_type$ $primary_contact$ $secondary_contact$ $regional_manager$ $spoc$ $subnets$   I´ve tried the known escape chars etc. but nothing worked. Do you have any Ideas on how to solve this issue?   Many thanks ahead. ... View more