topic Re: Replacing $var$ with var in Dashboards & Visualizations

Replacing $var$ with var

nightflame — Tue, 29 Sep 2020 16:22:35 GMT

The `notable` macro returns a field drilldown_search with the variables $user$ and $dest" embedded in it.

I would like to make use of this elsewhere and replace $user$ and $dest$ will the values of those fields respectively.

Is there a simple way in SPL to tell Splunk to substitute $var$ for var?

The best I have come up with is:

`notable`
| eval drilldown_search = if(like(drilldown_search,"%$user$%"), replace(drilldown_search,"\$user\$", user), drilldown_search)
| eval drilldown_search = if(like(drilldown_search,"%$dest$%"), replace(drilldown_search,"\$dest\$", dest), drilldown_search)

This seems a bit convoluted and I need a statement for each $var$.

Also I found if I do not use the if(like(... then replace returns drilldown_search as null if it does not match.

Is there a better way of doing this?

Re: Replacing $var$ with var

elliotproebstel — Mon, 23 Oct 2017 14:16:00 GMT

If you want to get rid of all instances of the $ character in your drilldown_search field, then rex should work:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Rex

| rex field=drilldown_search mode=sed "s/\$//g"

Re: Replacing $var$ with var

nightflame — Mon, 23 Oct 2017 14:35:40 GMT

That's not quite what I wanted. I want to replace $var$ the value of var, not "var" string. Note the lack of quotes around user in my replace example.

So for example I have a field user="fred"

Then I want to resolve $user$ to "fred", not "user"

Hope that makes sense.

Re: Replacing $var$ with var

koshyk — Mon, 23 Oct 2017 15:36:54 GMT

Have a try

  `notable`
| stats count by drilldown_search,dest,src,user
| foreach * [eval drilldown_search=replace(drilldown_search,"\$<<FIELD>>\$", <<FIELD>>)]

The important thing to note here is, stats count statement will ensure the fields that have values only will come out. If you need to accommodate null values, you may need to fiddle but the logic should work.

Re: Replacing $var$ with var

niketn — Mon, 23 Oct 2017 16:39:44 GMT

@nightflame, can you share some of the outputs of macro notable with few drilldown_search field values. Can it return only $user$ or $dest$ or both?

Besides the $user$ and/or $dest$ values being returned for field drilldown_search, is the macro also returning user and dest fields? What are some of these fields values? Will it be possible for you to share macro code?

Re: Replacing $var$ with var

elliotproebstel — Mon, 23 Oct 2017 17:08:28 GMT

Ah, it does. I misread, sorry. In that case, the answer by @koshyk should do the trick.

Re: Replacing $var$ with var

nightflame — Tue, 29 Sep 2020 16:25:00 GMT

Is that you Kiran? 🙂

This works a treat.

No not all the fields will exist. I just need to add this in front:

Shame I cannot condense the '| eval user= if(isnull(user),"",user )' etc into one statement where I do not need to know the names of $var$.

Thanks.