Dashboards & Visualizations

XML dashboard - modify a token using replace and regex

BernardEAI
Communicator

Hi

I'm trying to repeat the example for replace in the Splunk documentation, within a dashboard: (https://docs.splunk.com/Documentation/SplunkCloud/8.1.2009/SearchReference/TextFunctions)

I'm running this in a dashboard, triggered by a drilldown:

 

<drilldown>
 <eval token="p1_ttr_left">replace("1/14/2017", "^(\d{1,2})/(\d{1,2})/", "\2/\1/")</eval>
</drilldown>

 

It doesn't seem to work, nothing happens to the token (I'm writing it to the dashboard output).

Labels (1)
0 Karma

BernardEAI
Communicator

Thanks @richgalloway . This didn't work, still not replacing the token. In fact, the token remains as 

$p1_ttr_left$ in the dashboard.

If I run the following as a test, it seems to work and it performs the replace on the string and returns the token.

<eval token="p1_ttr_left">replace("www,aaa","^(.+?),","")</eval>

It looks to me like some forms of regex is accepted, but other (specifically if it includes a \..?) doesn't work.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The slashes need to be escaped.  Try

<eval token="p1_ttr_left">replace("1/14/2017", "^(\d{1,2})\/(\d{1,2})\/", "\2/\1/")</eval>
---
If this reply helps you, Karma would be appreciated.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Introducing .conf Stories Series!

“.conf Stories” Series – First Feature: Rich Mahlerwein   Every year .conf brings together some of the most ...