Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use the eval replace function in dashboard xml

bobbycrispbox
Explorer
‎02-14-2017 02:34 PM

Note this question relates to the replace eval function, not the replace search command. I've been referring to the documentation in https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/CommonEvalFunctions

My requirement is to take a list of space-delimited values in an input field and turn it into a comma-separated list for passing to the search For example, a b c d in the input should be transformed to ('a','b','c','d'). Here's my input definition from the dashboard:

 <input type="text" searchWhenChanged="false" token="order_number">
  <label>Order Number</label>
  <default></default>
  <change>
    <eval token="order_number_q">if($value$=="","","('"+replace(ltrim(rtrim($value$))," +","','")+"') ")</eval>
  </change>
</input>

The issue is that only the first instance of the space is replaced - so with my example above I'm ending up with ('a','b c d')

Documentation on the replace evaluation function is light, and I haven't found anyone else in Splunk Answers experiencing this behavior.

0 Karma
Reply

Kenshiro70
Path Finder
‎03-29-2018 08:22 PM

Have you tried replacing the space character with \s?

     <eval token="order_number_q">if($value$=="","","('"+replace(ltrim(rtrim($value$)),"\s+","','")+"') ")</eval>

It's possible the space is getting borked somehow via XML.

0 Karma
Reply

nickhills
Ultra Champion
‎02-14-2017 02:48 PM

Could you use split?

*|eval inputfield="a b c d"|eval temp=split(inputfield," ") | eval outputfield=mvindex(temp,0).",".mvindex(temp,1).",".mvindex(temp,2).",".mvindex(temp,3)|table inputfield outputfield

this produces

inputfield | outputfield
a b c d | a,b,c,d
If my comment helps, please give it a thumbs up!
0 Karma
Reply

bobbycrispbox
Explorer
‎02-14-2017 03:04 PM

I should point out that a b c d could be a b c d e f -- I need to keep this solution general to accept any number of space-separated inputs. Your solution looks like it would need to fix the number of outputs.

I note that replace does work as I would have expected in the context of a search, like this:

*|eval inputfield="a b c d"|eval outputfield="('"+replace(inputfield," ","'','")+"')" |table inputfield outputfield

but it does not in the context of a dashboard input.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...