Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to use the replace command to modify a regex token on my dashboard?

TiagoTLD1
Communicator
‎09-20-2016 10:43 AM

Hello,

I have a chart where I want to use the drilldown in a table below, where I will want to search for that selected field in the chart.

The problem is the field has " in it, so I can't use a WHERE clause because it can't have more than two ".

So I figured I can use eval functions in this way (it is documented), and the replace function allows me to replace the " by \" so it can be used in a WHERE clause. I tested it outside the dashboard, with success.

**<eval token="drillregex">replace($click.name2$,"\"","")</eval>**

The issue is that this is only replacing the FIRST occurrence of ", so I still have other " in the data.

It is strange because replace function is supposed to replace every occurrence of it...

Any clues ?

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-20-2016 01:59 PM

You should be able to escape the quotes in the query like this "$tokName|s$. Now this may work in the drilldown section as well, I haven't tried. Worth a try though.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/tokens#Token_filters

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-20-2016 01:59 PM

You should be able to escape the quotes in the query like this "$tokName|s$. Now this may work in the drilldown section as well, I haven't tried. Worth a try though.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Viz/tokens#Token_filters

Reply
Solved! Jump to solution

TiagoTLD1
Communicator
‎09-21-2016 01:31 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

TiagoTLD1
Communicator
‎09-20-2016 12:08 PM

Hi

Unfortunately that would only solve the issue for data with two ".

Data with more " would require more of that code and that would not be a good pratice.

Exemple: User with login "xxx" and id "zzzz" connected to server "yyy"

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-20-2016 01:08 PM

Why not do the replace in your query, before the where clause?

0 Karma
Reply
Solved! Jump to solution

TiagoTLD1
Communicator
‎09-20-2016 01:16 PM

Sure, i already do that replace in order to compare data values without " against the token values. But the token mustn't have the " too. So I still need that token to not have ". The behaviour of replace function in the eval is apparently different inside the Dashboard and in a simple search.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-20-2016 11:53 AM

Run the replace twice

<eval token="drillregex">replace(replace($click.name2$,"\"",""),"\"","")</eval>

Also, can you post some sample values that you receive in the chart?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...