Dashboards & Visualizations

How to use the replace command to modify a regex token on my dashboard?

TiagoTLD1
Communicator

Hello,

I have a chart where I want to use the drilldown in a table below, where I will want to search for that selected field in the chart.

The problem is the field has " in it, so I can't use a WHERE clause because it can't have more than two ".

So I figured I can use eval functions in this way (it is documented), and the replace function allows me to replace the " by \" so it can be used in a WHERE clause. I tested it outside the dashboard, with success.

**<eval token="drillregex">replace($click.name2$,"\"","")</eval>**

The issue is that this is only replacing the FIRST occurrence of ", so I still have other " in the data.

It is strange because replace function is supposed to replace every occurrence of it...

Any clues ?

Thanks in advance

0 Karma
1 Solution

sundareshr
Legend

You should be able to escape the quotes in the query like this "$tokName|s$. Now this may work in the drilldown section as well, I haven't tried. Worth a try though.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/tokens#Token_filters

View solution in original post

sundareshr
Legend

You should be able to escape the quotes in the query like this "$tokName|s$. Now this may work in the drilldown section as well, I haven't tried. Worth a try though.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/tokens#Token_filters

TiagoTLD1
Communicator

Thank you!

0 Karma

TiagoTLD1
Communicator

Hi

Unfortunately that would only solve the issue for data with two ".

Data with more " would require more of that code and that would not be a good pratice.

Exemple: User with login "xxx" and id "zzzz" connected to server "yyy"

0 Karma

sundareshr
Legend

Why not do the replace in your query, before the where clause?

0 Karma

TiagoTLD1
Communicator

Sure, i already do that replace in order to compare data values without " against the token values. But the token mustn't have the " too. So I still need that token to not have ". The behaviour of replace function in the eval is apparently different inside the Dashboard and in a simple search.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Run the replace twice

<eval token="drillregex">replace(replace($click.name2$,"\"",""),"\"","")</eval>

Also, can you post some sample values that you receive in the chart?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...