Solved: EVAL tag in simple XML with replace regular expres...

cyvi01 · ‎11-10-2022

Hi,

I´m facing a problem. I´m trying to solve my current issue via 2 different approaches but i´m unfortunately unable to complete any of these solutions. I´m trying to provide a dashboard with a form whose some of the fields to fill should allow users to sort data using multiple inclusions or exclusions to fit what each and every team works with.

Solution 1 : By using an EVAL tag in the XML code and use the variable in the main basesearch like "index=test $exclude_uri$ | stats count BY cs_uri_sterm"

I tried something like and use a panel to display the result :

<form>
  <fieldset submitButton="true">
    <input type="text" token="exclude" searchWhenChanged="true">
      <default></default>
      <change>
        <eval token="exclude_uri">replace(replace(trim(exclude), "\\s+", " "), "(\\S+)", "cs_uri_sterm!=\"\1\"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <p>Token:<b>$exclude_uri$</b></p>
      </html>
    </panel>
  </row>
</form>

However i´m facing several issues :
- for some reasons multiple whitespaces are removed by default even though i decide to remove the replace and trim functions dedicated to that. Why ?
- \1 does not seem to be recognized. For some reasons a lot of people do not need \\ but it seems like i need them but this does not work for \\1 anyway, only for \s+ and \S+. Any reason ? How can i make this work ?

On the other side, it does work if i implement the same in a makeresults test search as follows :

| makeresults
| eval exclude="/assets/*    /api/* "
| eval exclude_uri=replace(replace(trim(exclude), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ")

providing :

_time                    exclude                exclude_uri
2022-11-10 15:21:17      /assets/*    /api/* 	cs_uri_sterm!="/assets/*" cs_uri_sterm!="/api/*"

Why is it different ?

Solution 2 : Use a Makeresults like above and use the output of it as a direct filter in my basesearch

I tried that but im not able to find a proper solution :

index=test [ | makeresults | eval | eval exclude_uri=replace(replace(trim($exclude$), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ") | table exclude_uri ]

I should get something like index=test cs_uri_sterm!="/assets/*" cs_uri_sterm!="/api/*" if the user filled "/assets/* /api/*" in the form text input.

I have also tried the same with a MV field.

index=text [ | makeresults | eval exclude_uri=replace(replace(trim($exclude$), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ") | makemv delim=" " exclude_uri | mvexpand exclude_uri | table exclude_uri ]

Nothing works. Spent few hours trying to look at solutions. Even tried to see if i could use something like search ... IN or where something. Any advice ? I really need this.

Javascript may be my solution, i don´t know. Kind of stuck here.

cyvi01 · ‎11-10-2022

Thank you as your point is not the solution but helped me a lot to know what to do :

<eval token="exclude_uri">"cs_uri_sterm!=\"".replace($exclude$,"\\s+","\" cs_uri_sterm!=\"")."\""</eval>

It looks like that empty (which is perfect).

or like that if filled :

View solution in original post

johnhuang · ‎11-10-2022

Try this:

<eval token="exclude_uri">"NOT cs_uri_sterm IN (\\\"".replace(trim($exclude$),"\\s+","\\\", \\\"")."\\\")"</eval>

cyvi01 · ‎11-10-2022

Thank you as your point is not the solution but helped me a lot to know what to do :

<eval token="exclude_uri">"cs_uri_sterm!=\"".replace($exclude$,"\\s+","\" cs_uri_sterm!=\"")."\""</eval>

It looks like that empty (which is perfect).

or like that if filled :

EVAL tag in simple XML with replace regular expressions OR variable with multiple values to be used in the main search?

simple XML

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!