Note this question relates to the replace eval function, not the replace search command. I've been referring to the documentation in https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/CommonEvalFunctions
My requirement is to take a list of space-delimited values in an input field and turn it into a comma-separated list for passing to the search For example, a b c d in the input should be transformed to ('a','b','c','d'). Here's my input definition from the dashboard:
<input type="text" searchWhenChanged="false" token="order_number"> <label>Order Number</label> <default></default> <change> <eval token="order_number_q">if($value$=="","","('"+replace(ltrim(rtrim($value$))," +","','")+"') ")</eval> </change> </input>
The issue is that only the first instance of the space is replaced - so with my example above I'm ending up with ('a','b c d')
Documentation on the replace evaluation function is light, and I haven't found anyone else in Splunk Answers experiencing this behavior.
Could you use split?
*|eval inputfield="a b c d"|eval temp=split(inputfield," ") | eval outputfield=mvindex(temp,0).",".mvindex(temp,1).",".mvindex(temp,2).",".mvindex(temp,3)|table inputfield outputfield
inputfield | outputfield a b c d | a,b,c,d
I should point out that a b c d could be a b c d e f -- I need to keep this solution general to accept any number of space-separated inputs. Your solution looks like it would need to fix the number of outputs.
I note that replace does work as I would have expected in the context of a search, like this:
*|eval inputfield="a b c d"|eval outputfield="('"+replace(inputfield," ","'','")+"')" |table inputfield outputfield
but it does not in the context of a dashboard input.
Have you tried replacing the space character with \s?
<eval token="order_number_q">if($value$=="","","('"+replace(ltrim(rtrim($value$)),"\s+","','")+"') ")</eval>
It's possible the space is getting borked somehow via XML.