Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is XML dashboard token losing tab characters?

eherbst63
Explorer
‎04-22-2023 02:10 AM

Hi there,

actually I'm developing a dashboard for supporting Use Case testing. Amongst other fields it reads from inputlookup a field that is a 1:1 copy from a real "_raw" field of a real test event. The field is copied to an input field that allows user to modify the content.

Here's the code:

<panel depends="$show_test_event_both$" id="id_panel_test_event_xst">
  <table>
    <search rejects="$no_process_srch_test_event_xst$">
      <query>
        | inputlookup secops.UC_Testing_Events.csv
        | search tenant = "$sel_tenant$" AND alert_name = "$sel_alert_name$" AND alert_version = "$sel_alert_version$"
        | rename _raw as test_event
        | table test_event
      </query>
      <done>
        <set token="no_process_srch_test_event_xst"></set>
        <eval token="sel_test_event">coalesce($result.test_event$, "n/a")</eval>
        <set token="show_test_event_both"></set>
      </done>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
  </table>
</panel>
<panel depends="$show_test_event_both$" id="id_panel_test_event_edt">
  <input type="input" token="edit_test_event" searchWhenChanged="true" id="id_input_test_event">
    <label>Test Event Prototype</label>
    <default>$initVal_test_event|n$</default>
  </input>
</panel>
<panel depends="$show_test_event_both$" id="id_panel_test_event_opt">
  <input type="radio" token="btn_event_action">
    <label>Select desired action</label>
    <change>
      <condition match="$btn_event_action$==&quot;copy&quot;">
        <unset token="btn_event_action"></unset>
        <unset token="form.btn_event_action"></unset>
        <set token="initVal_test_event">$sel_test_event|n$</set>
      </condition>

The field called "_raw" in lookup is read into "sel_test_event" which is used as initialValue for the input field of the dashboard called "edit_test_event".

So far, so good - in both fields the TAB characters present in the origin "_raw" field appear as they are stored in the lookup. Looks like this:

eherbst63_0-1682154003505.png

 

The user then starts to replace some discrete values with placeholders like this for the original "_time" field at the beginning of the row: {ts_yyyy_mm_dd_HH_MM_SS}. All existing TAB characters are still in the input field when user is done.

When pressing on save button the modified "edit_test_event" field should be written to lookup again. Running that search (that replaces all discrete values with placeholders as specified by user) REPLACES all TAB characters by SPACES, leading to final result is not usable as a test event.

Whatever I tried so far did not work:

| eval _raw = "$edit_test_event$"
or
| eval _raw = $edit_test_event|s$
or
| eval _raw = "$edit_test_event|n$"

Has anyone of you an idea why the TAB characters are replaced and may be why even the "...|n$" (token filtering off) is not working ?

As you may imagine this is an absolute show stopper as the structure of a "_raw" event may not be modified itself. Any help appreciated.

Many thanks in advance,

Ekke

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...