Hi there,
actually I'm developing a dashboard for supporting Use Case testing. Amongst other fields it reads from inputlookup a field that is a 1:1 copy from a real "_raw" field of a real test event. The field is copied to an input field that allows user to modify the content.
Here's the code:
<panel depends="$show_test_event_both$" id="id_panel_test_event_xst">
<table>
<search rejects="$no_process_srch_test_event_xst$">
<query>
| inputlookup secops.UC_Testing_Events.csv
| search tenant = "$sel_tenant$" AND alert_name = "$sel_alert_name$" AND alert_version = "$sel_alert_version$"
| rename _raw as test_event
| table test_event
</query>
<done>
<set token="no_process_srch_test_event_xst"></set>
<eval token="sel_test_event">coalesce($result.test_event$, "n/a")</eval>
<set token="show_test_event_both"></set>
</done>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
</table>
</panel>
<panel depends="$show_test_event_both$" id="id_panel_test_event_edt">
<input type="input" token="edit_test_event" searchWhenChanged="true" id="id_input_test_event">
<label>Test Event Prototype</label>
<default>$initVal_test_event|n$</default>
</input>
</panel>
<panel depends="$show_test_event_both$" id="id_panel_test_event_opt">
<input type="radio" token="btn_event_action">
<label>Select desired action</label>
<change>
<condition match="$btn_event_action$=="copy"">
<unset token="btn_event_action"></unset>
<unset token="form.btn_event_action"></unset>
<set token="initVal_test_event">$sel_test_event|n$</set>
</condition>
The field called "_raw" in lookup is read into "sel_test_event" which is used as initialValue for the input field of the dashboard called "edit_test_event".
So far, so good - in both fields the TAB characters present in the origin "_raw" field appear as they are stored in the lookup. Looks like this:
The user then starts to replace some discrete values with placeholders like this for the original "_time" field at the beginning of the row: {ts_yyyy_mm_dd_HH_MM_SS}. All existing TAB characters are still in the input field when user is done.
When pressing on save button the modified "edit_test_event" field should be written to lookup again. Running that search (that replaces all discrete values with placeholders as specified by user) REPLACES all TAB characters by SPACES, leading to final result is not usable as a test event.
Whatever I tried so far did not work:
| eval _raw = "$edit_test_event$"
or
| eval _raw = $edit_test_event|s$
or
| eval _raw = "$edit_test_event|n$"
Has anyone of you an idea why the TAB characters are replaced and may be why even the "...|n$" (token filtering off) is not working ?
As you may imagine this is an absolute show stopper as the structure of a "_raw" event may not be modified itself. Any help appreciated.
Many thanks in advance,
Ekke