Solved: HOWTO: replace leading and trailing less than and ...

kragel · ‎03-10-2014

I'm trying to do something like this in my search with SideviewUtils:

eval value1= replace(original, "\s+<", "") | eval value2 = replace(value1, ">", "")

original= <testdata123>
value2=testdata123

XML doesn't like the greater than and less than signs and I can't seem to get a regex to work. Can anyone help me out? Thanks.

I also tried &gt and &lt but couldn't get them to work.

eval value1 = replace(original, \s+&gt, "")

sideview · ‎03-10-2014

You need to either wrap the 'search' param in CDATA tags, or to escape the entities with < and > and the like.

You're very close to doing the latter, but the trailing semicolon on the entities is actually required. It looks like you're doing &gt and &lt without the little semicolons and that'll actually fail (albeit for slightly different reasons in the xml parser).

I find CDATA tags easier to work with fwiw.

<module name="Search">
  <param name="search"><![CDATA[
  eval value1= replace(original, "s+<", "") | eval value2 = replace(value1, ">", "")
  ]]></param>

And if you use the Sideview Editor to create and edit your view, it'll automatically escape the params. Specifically for the HTML module's html param, and the Search module's search param, it'll use CDATA blocks, and for other params it'll escape the chars as > and < etc...

View solution in original post

sideview · ‎03-10-2014

You need to either wrap the 'search' param in CDATA tags, or to escape the entities with < and > and the like.

You're very close to doing the latter, but the trailing semicolon on the entities is actually required. It looks like you're doing &gt and &lt without the little semicolons and that'll actually fail (albeit for slightly different reasons in the xml parser).

I find CDATA tags easier to work with fwiw.

<module name="Search">
  <param name="search"><![CDATA[
  eval value1= replace(original, "s+<", "") | eval value2 = replace(value1, ">", "")
  ]]></param>

And if you use the Sideview Editor to create and edit your view, it'll automatically escape the params. Specifically for the HTML module's html param, and the Search module's search param, it'll use CDATA blocks, and for other params it'll escape the chars as > and < etc...

somesoni2 · ‎04-04-2014

Another options could be this.

| eval value1=replace(original, "(\s*\<*\>*)", "")

kragel · ‎04-04-2014

I ended up using ltrim and rtrim:

[CDATA[eval new_msgid=ltrim(rtrim(msgid,">"),"<")]]

sideview · ‎03-11-2014

The \s thing is just a Splunk thing - you have to manually escape backslash chars in the Splunk search language. so use two backslashes and Splunk will see the one.

You can find the Sideview Editor in Tools > Sideview Editor. No, it's a visual authoring system to create and edit Splunk views without ever touching the XML. It's not for everyone but it can certainly be useful for quick edits and some customers use it for everything.

kragel · ‎03-11-2014

Great, thanks! I'm making progress now. The only thing I still can't get working is removing the leading spaces in the value. Neither of these seem to work. Thank you.

There is a backslash before the "s" but it gets taken out when I post FWIW.

[CDATA[eval original= replace(value1, \s+"<", "")]
[CDATA[eval original= replace(value1, "\s+<", "")]

Also, if you could explain a little more on what you meant when you said, "if you use Sideview Editor it will automatically escape the params", I would appreciate that. I just click on Views - name of my view to edit. Is that Sideview Editor?

HOWTO: replace leading and trailing less than and greater than chars

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023