I have the below search query which gives good result but when used in dashboard it says "Search is waiting for input",
but when I remove the Rex from second statement it works in dashboard
index=app-axxfer-restricted queryType="ts"
(
((filename=RECON* NOT filename=RECON*.txt) "siteName=Send RECON file") OR
((filename=RECON* NOT filename=RECON*.txt) "siteName=Facets to Prod Mark")
)
|eval type =case(
(match(filename,"RECON+\.\d+\.\d+$") AND like(siteName,"%Send%")),"Files received from NASCO",
(match(filename,"RECON+\.\d+\.\d+$") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"
)|timechart span=1d count by type
this works only when I remove the rex as below...but this is No good for me
(match(filename,"RECON") AND like(siteName,"%Facets%")) , "FACETS Files sent to CVS"
can you please tell me what to do for the Case statement so that it works in Dashboard even if I use multiple rex .
↧