topic Re: How do we edit the format of a token value before it is passed to a search? in Splunk Search

How do we edit the format of a token value before it is passed to a search?

avanthi1823 — Tue, 27 Oct 2015 04:10:38 GMT

Experts,

We have a input form which expects a UID type of data from users. There are few known formats to UID, like: abcd:efgh:ijkl OR ab-cd-ef-gh-ij-kl OR ab:cd:ef:gh:ij:kl OR ab.cd.ef.gh.ij.kl

User can enter any one of these formats which we grab to the token "fix". We then want to straighten the user input by removing -,:,.

Example:

index=abc source=xyz fix=search[|eval fix="$fix$"|eval fix1 = upper(replace(fix,"([-:\.])",""))|return fix1]

This is not working. It keeps saying that it didn't find any results. If I just use:

index=abc source=xyz |eval fix = upper(replace(Original_field,"([-:\.])"),"")

it straightens out and gives the desired output: ABDCDEFGHIJKL

Note: Original_field is what actually holds the abcd:efgh:ijkl OR ab-cd-ef-gh-ij-kl OR ab:cd:ef:gh:ij:kl OR ab.cd.ef.gh.ij.kl patterns. We have created "Fix" as a Field Extraction to straighten out data from the Backend. Since we can't anticipate what format the user is going to enter, we want to grab it anyway and straighten it out and pass it to the search from the front-end as well. I have been searching and found couple of answers

https://answers.splunk.com/answers/127021/manipulate-a-token-string-in-a-form.html

but no luck.

Thanks in advance
Avanthi

Re: How do we edit the format of a token value before it is passed to a search?

wpreston — Tue, 27 Oct 2015 19:09:35 GMT

Would making the value of fix=$fix$ a subsearch accomplish what you need?

index=abc source=xyz [search | stats count |eval fix="$fix$"|eval fix = upper(replace(fix,"([-:\.])",""))| fields - count]

Re: How do we edit the format of a token value before it is passed to a search?

somesoni2 — Tue, 27 Oct 2015 19:20:24 GMT

Try something like this

 index=abc source=xyz fix=search[| noop |eval fix="$fix$"|eval fix1 = upper(replace(fix,"([-:\.])",""))|return fix1]

Update Didn't test that | noop doesn't work for this purpose.

 index=abc source=xyz fix=search[| gentimes start=-1 |eval fix="$fix$"|eval fix1 = upper(replace(fix,"([-:\.])",""))|return fix1]

Re: How do we edit the format of a token value before it is passed to a search?

wpreston — Tue, 27 Oct 2015 19:24:40 GMT

It looks like noop is an undocumented command. Would you mind giving a quick rundown of what it does? I'd like to learn...

Re: How do we edit the format of a token value before it is passed to a search?

somesoni2 — Tue, 27 Oct 2015 20:32:21 GMT

I saw someone used noop in the same way so though of suggesting with it. It's indeed not documented but some details available here.

https://answers.splunk.com/answers/241584/splunk-should-upgrade-the-noop-command-to-take-a-s.html