topic Re: How to easily replace a character in a token value ? in Splunk Search

How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 13:29:27 GMT

Hello,

I have a token "user" representing the name of a user. This name can contain "(" or ")". When I am using this token to execute a LDAP search, I get an error because it cannot contains brackets. The solution is to replace

 ( by \28

and

) by \29.

I tried it without using the token, and it works:

 | ldapsearch domain=mydoman search="(CN=John Doe \\28test\\29)"

Unfortunately, I am using a dashboard to automatically complete this username. I need to replace the brackets by \28 and \29.
Is there a quick way to do this?

Thank you

Re: How to easily replace a character in a token value ?

jplumsdaine22 — Tue, 26 Jan 2016 13:46:39 GMT

Use eval replace() to reformat the token value

| eval foo=replace($token$),"\(","\28") |eval foo=replace(foo,"\)","\29") |  ldapsearch domain=mydomain search=foo

See replace() in http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonevalfunctions

Re: How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 13:56:02 GMT

This is something I tried but if I do that, "foo" won't be evaluated. So the LDAP Search string is just the string "foo".

Re: How to easily replace a character in a token value ?

javiergn — Tue, 26 Jan 2016 14:08:38 GMT

This would be my approach (simply replace myToken with $yourtoken$ and it should work):

| eval myToken = "(CN=John Doe (test))"
| rex field=myToken mode=sed "s/(^\(.+)(\()/\\1\\\\\28/g"
| rex field=myToken mode=sed "s/([^\)]+)(\))(.*\)$)/\\1\\\\\29\\3/g"

output: (CN=John Doe \\28test\\29)

Alternatively, this one is a bit more robust as it should replace ALL your parenthesis and then fix your LDAP string by appending opening and closing ones:

| eval myToken = "(CN=John Doe (test))"
| eval myToken = replace(myToken, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken

output: (CN=John Doe \\28test\\29)

Alternative number 3 as suggested below:

| gentimes start=-1
| eval myToken = replace($token$, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken
| map search="| ldapsearch domain=mydoman search=\"$$myToken$$\""

Let me know if that helps.

Thanks,
Javier

Re: How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 14:58:09 GMT

The problem is that this solution uses the token value in the "field=XXX" option.

| rex field=John Doe (test) mode=sed "s/(^(.+)(()/\1\\\28/g"
| rex field=John Doe (test) mode=sed "s/([^)]+)())(.*)$)/\1\\\29\3/g"

Re: How to easily replace a character in a token value ?

javiergn — Tue, 26 Jan 2016 15:06:28 GMT

I see what you mean. Sorry i don't have an easy way to test this but what about the following using the map command?

| gentimes start=-1
| eval myToken = replace($token$, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken
| map search="| ldapsearch domain=mydoman search=\"$$myToken$$\""

EDIT: fixed query above as there was a typo because of the copy and paste
EDIT2: adding double $ to myToken

Re: How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 15:29:43 GMT

This solution give me a "The search is waiting for input" message on my dashboard. I guess it is because "$myToken$" is not set.

EDIT: I think I missed your "edit". What did you change?

Re: How to easily replace a character in a token value ?

somesoni2 — Tue, 26 Jan 2016 15:32:44 GMT

Use double $ sign for mytoken.

Re: How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 15:38:51 GMT

That's what I did: | ldapsearch domain=mydomain search=\"(CN=$myToken$)\"

Re: How to easily replace a character in a token value ?

jplumsdaine22 — Tue, 26 Jan 2016 15:39:13 GMT

Use map as well then:

| eval foo=replace($token$),"\(","\28") |eval foo=replace(foo,"\)","\29") | map search="| ldapsearch domain=mydoman search=$foo$"

Re: How to easily replace a character in a token value ?

somesoni2 — Tue, 26 Jan 2016 15:43:21 GMT

No like this

 | ldapsearch domain=mydomain search="(CN=$$myToken$$)"

Re: How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 16:03:31 GMT

Oh OK. We're progressing, but it still doesn't work. I am not sure what is "tempToken" for as it is empty and the last "eval myToken" makes "myToken" empty too... Very strange.

Re: How to easily replace a character in a token value ?

javiergn — Tue, 26 Jan 2016 16:09:44 GMT

That was just me wanting to display all the different field values for debugging purposes in my test query. Feel free to get rid of it:

| gentimes start=-1
| eval myToken = replace($token$, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<myToken>.+)\\\\\\\\29$"
| eval myToken = "(" . myToken . ")"
| map search="| ldapsearch domain=mydoman search=\"$$myToken$$\""

Re: How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 16:26:19 GMT

Yeah ! I managed to make it work:

| gentimes start=-1 | eval myToken = replace("$user$", "\(", "\\28")   | eval myToken = replace(myToken, "\)", "\\29")  | map search="| ldapsearch domain=mydomain search=\"(CN=$$myToken$$)\""

Splunk was showing only 2 backslash in when you set up 5 of them but when using it in the LDAP search, it needed only 2...

I removed the rex function and the last eval too.

I have one more question: What is "gentimes" for ?

Re: How to easily replace a character in a token value ?

ctaf — Tue, 26 Jan 2016 16:26:31 GMT

Thank you !

Re: How to easily replace a character in a token value ?

javiergn — Tue, 26 Jan 2016 16:29:09 GMT

That's just for my example to be able to use non search commands when you don't really have a search. You can use "| stats count" too.

It is quite useful when testing things as otherwise you need to start your search with an actual search or input type command.

There are other uses for gentimes of course. See the doc