All Apps and Add-ons

HOWTO: replace leading and trailing less than and greater than chars

kragel
Path Finder

I'm trying to do something like this in my search with SideviewUtils:

eval value1= replace(original, "\s+<", "") | eval value2 = replace(value1, ">", "")

original= <testdata123>
value2=testdata123

XML doesn't like the greater than and less than signs and I can't seem to get a regex to work. Can anyone help me out? Thanks.

I also tried &gt and &lt but couldn't get them to work.

eval value1 = replace(original, \s+&gt, "")
1 Solution

sideview
SplunkTrust
SplunkTrust

You need to either wrap the 'search' param in CDATA tags, or to escape the entities with < and > and the like.

You're very close to doing the latter, but the trailing semicolon on the entities is actually required. It looks like you're doing &gt and &lt without the little semicolons and that'll actually fail (albeit for slightly different reasons in the xml parser).

I find CDATA tags easier to work with fwiw.

<module name="Search">
  <param name="search"><![CDATA[
  eval value1= replace(original, "s+<", "") | eval value2 = replace(value1, ">", "")
  ]]></param>

And if you use the Sideview Editor to create and edit your view, it'll automatically escape the params. Specifically for the HTML module's html param, and the Search module's search param, it'll use CDATA blocks, and for other params it'll escape the chars as > and < etc...

View solution in original post

sideview
SplunkTrust
SplunkTrust

You need to either wrap the 'search' param in CDATA tags, or to escape the entities with < and > and the like.

You're very close to doing the latter, but the trailing semicolon on the entities is actually required. It looks like you're doing &gt and &lt without the little semicolons and that'll actually fail (albeit for slightly different reasons in the xml parser).

I find CDATA tags easier to work with fwiw.

<module name="Search">
  <param name="search"><![CDATA[
  eval value1= replace(original, "s+<", "") | eval value2 = replace(value1, ">", "")
  ]]></param>

And if you use the Sideview Editor to create and edit your view, it'll automatically escape the params. Specifically for the HTML module's html param, and the Search module's search param, it'll use CDATA blocks, and for other params it'll escape the chars as > and < etc...

somesoni2
SplunkTrust
SplunkTrust

Another options could be this.

| eval value1=replace(original, "(\s*\<*\>*)", "")

0 Karma

kragel
Path Finder

I ended up using ltrim and rtrim:

[CDATA[eval new_msgid=ltrim(rtrim(msgid,">"),"<")]]

0 Karma

sideview
SplunkTrust
SplunkTrust

The \s thing is just a Splunk thing - you have to manually escape backslash chars in the Splunk search language. so use two backslashes and Splunk will see the one.

You can find the Sideview Editor in Tools > Sideview Editor. No, it's a visual authoring system to create and edit Splunk views without ever touching the XML. It's not for everyone but it can certainly be useful for quick edits and some customers use it for everything.

0 Karma

kragel
Path Finder

Great, thanks! I'm making progress now. The only thing I still can't get working is removing the leading spaces in the value. Neither of these seem to work. Thank you.

There is a backslash before the "s" but it gets taken out when I post FWIW.

[CDATA[eval original= replace(value1, \s+"<", "")]
[CDATA[eval original= replace(value1, "\s+<", "")]

Also, if you could explain a little more on what you meant when you said, "if you use Sideview Editor it will automatically escape the params", I would appreciate that. I just click on Views - name of my view to edit. Is that Sideview Editor?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...