XML dashboard - modify a token using replace and r...

BernardEAI · ‎11-09-2020

Hi

I'm trying to repeat the example for replace in the Splunk documentation, within a dashboard: (https://docs.splunk.com/Documentation/SplunkCloud/8.1.2009/SearchReference/TextFunctions)

I'm running this in a dashboard, triggered by a drilldown:

<drilldown>
 <eval token="p1_ttr_left">replace("1/14/2017", "^(\d{1,2})/(\d{1,2})/", "\2/\1/")</eval>
</drilldown>

It doesn't seem to work, nothing happens to the token (I'm writing it to the dashboard output).

BernardEAI · ‎11-09-2020

Thanks @richgalloway . This didn't work, still not replacing the token. In fact, the token remains as

$p1_ttr_left$ in the dashboard.

If I run the following as a test, it seems to work and it performs the replace on the string and returns the token.

<eval token="p1_ttr_left">replace("www,aaa","^(.+?),","")</eval>

It looks to me like some forms of regex is accepted, but other (specifically if it includes a \..?) doesn't work.

richgalloway · ‎11-09-2020

The slashes need to be escaped. Try

<eval token="p1_ttr_left">replace("1/14/2017", "^(\d{1,2})\/(\d{1,2})\/", "\2/\1/")</eval>

---
If this reply helps you, Karma would be appreciated.

XML dashboard - modify a token using replace and regex