Dashboards & Visualizations

How to use the replace command to modify a regex token on my dashboard?

TiagoTLD1
Communicator

Hello,

I have a chart where I want to use the drilldown in a table below, where I will want to search for that selected field in the chart.

The problem is the field has " in it, so I can't use a WHERE clause because it can't have more than two ".

So I figured I can use eval functions in this way (it is documented), and the replace function allows me to replace the " by \" so it can be used in a WHERE clause. I tested it outside the dashboard, with success.

**<eval token="drillregex">replace($click.name2$,"\"","")</eval>**

The issue is that this is only replacing the FIRST occurrence of ", so I still have other " in the data.

It is strange because replace function is supposed to replace every occurrence of it...

Any clues ?

Thanks in advance

0 Karma
1 Solution

sundareshr
Legend

You should be able to escape the quotes in the query like this "$tokName|s$. Now this may work in the drilldown section as well, I haven't tried. Worth a try though.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/tokens#Token_filters

View solution in original post

sundareshr
Legend

You should be able to escape the quotes in the query like this "$tokName|s$. Now this may work in the drilldown section as well, I haven't tried. Worth a try though.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/tokens#Token_filters

TiagoTLD1
Communicator

Thank you!

0 Karma

TiagoTLD1
Communicator

Hi

Unfortunately that would only solve the issue for data with two ".

Data with more " would require more of that code and that would not be a good pratice.

Exemple: User with login "xxx" and id "zzzz" connected to server "yyy"

0 Karma

sundareshr
Legend

Why not do the replace in your query, before the where clause?

0 Karma

TiagoTLD1
Communicator

Sure, i already do that replace in order to compare data values without " against the token values. But the token mustn't have the " too. So I still need that token to not have ". The behaviour of replace function in the eval is apparently different inside the Dashboard and in a simple search.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Run the replace twice

<eval token="drillregex">replace(replace($click.name2$,"\"",""),"\"","")</eval>

Also, can you post some sample values that you receive in the chart?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...