Splunk Search

Help with Splunk 6.3 Simple XML text input box: condition match regex IP address

mydog8it
Builder

I am trying to test a text input box value to determine if an IP address was provided. If an IP address was provided, I want to set the token "test-result" to Is_an_IP. If an IP address is not provided I want to set the token "test-result" to Is_NOT_an_IP.

I have tried the test using simple string tests and the dashboard works without issue. When I try to do the regex/IP test, it does not work.

I do not have enough karma to post links to the documentation.

Below is my Simple XML:

<form>
  <label>Test_IP</label>
  <fieldset>
    <input type="text" token="field100">
      <change>
        <condition match="match(value, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")">
          <set token="test-result">Is_an_IP</set>
        </condition>
        <condition>
          <set token="test-result">Is_NOT_an_IP</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Test-Result=$test-result$ field=$field100$</title>
        <search>
          <query>index=**</query>
          <earliest>0</earliest>
        </search>
      </table>
    </panel>
  </row>
</form>
1 Solution

niketn
Legend

Kindly refer to Splunk documentation (http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens) for following two points:

  1. Regular Expressions in dashboard eval
    expressions use the syntax and
    semantics of the JavaScript regular
    expression
    engine. This is not the
    same engine used for SPL eval
    expressions.

  2. You can compute a token's value based
    on the result of an eval expression.

Based on the above, inside change block, instead of using condition please use the following eval condition block, which in-turn will perform match condition:

   <change>
       <eval token="test-result">if(match(value, &quot;^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$&quot;), &quot;IS AN IP&quot;, &quot;IS NOT IP&quot;)</eval>
   </change>

PS: Regulat expression for IPv4 Address is way more elaborate than the one used here (i.e. upto three digit numbers separated by dots) Please refer to documentation on Javascript Regulat expression for IP Address as three digit numbers can not be greater than 255.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Kindly refer to Splunk documentation (http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens) for following two points:

  1. Regular Expressions in dashboard eval
    expressions use the syntax and
    semantics of the JavaScript regular
    expression
    engine. This is not the
    same engine used for SPL eval
    expressions.

  2. You can compute a token's value based
    on the result of an eval expression.

Based on the above, inside change block, instead of using condition please use the following eval condition block, which in-turn will perform match condition:

   <change>
       <eval token="test-result">if(match(value, &quot;^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$&quot;), &quot;IS AN IP&quot;, &quot;IS NOT IP&quot;)</eval>
   </change>

PS: Regulat expression for IPv4 Address is way more elaborate than the one used here (i.e. upto three digit numbers separated by dots) Please refer to documentation on Javascript Regulat expression for IP Address as three digit numbers can not be greater than 255.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mydog8it
Builder

just noticed the posting process interpreted my double quote ascii value. I'm trying to break the interpretation by inserting spaces ...condition match="match(value, & quot ;d{1,3}.d{1,3}.d{1,3}.d{1,3}& quot ;)">

0 Karma

peter_holmes_an
Path Finder

Did you manage to get this to work at all?

I'm playing around with something similar and I can almost get regex to work with something like this

<input type="text" token="hrtearliest">
    <label>Human Readable Time Start</label>
    <change>
        <eval token="test">if(match($value$, &quot;(.+)&quot;), &quot;match&quot;, &quot;not match&quot;</eval>
    </change>
</input>

But if I try to expand the regex in the match it stops setting the test token at all. For example - with the text box set to 2016.

<input type="text" token="hrtearliest">
    <label>Human Readable Time Start</label>
    <change>
        <eval token="test">if(match($value$, &quot;(\d+)&quot;), &quot;match&quot;, &quot;not match&quot;</eval>
    </change>
</input>

it seems from my testing that the regex doesn't work with meta characters (\d, \w etc) but does work with control characters ({3}, + * etc). I also tried using the escape string for the \ on the meta characters but that didn't help.

0 Karma

Lowell
Super Champion

I found out that the Javascript version of the match() eval function apparently doesn't like something as simple as \d+. However, if I changed it to [0-9]+ then it worked.

I'm not sure if the back-slash needs escaped, or if \d specifically isn't supported or what. But I was just trying to match any integer, so didn't take it any further.

The docs do mention that the regular expression dialect is different. JavaScript vs PCRE, but not that familiar with the differences there either.

Good luck!

Lowell
Super Champion

haha, just saw this also noted in a comment above. Whoops. Oh well, missed it the first time I read through it; maybe this will still be helpful to someone.

richgalloway
SplunkTrust
SplunkTrust

@peter_holmes_anaplan: you're responding to a year-old thread. For better chances at getting an answer, I suggest you post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

peter_holmes_an
Path Finder

@ richgalloway ♦: Thanks Rich, I actually worked out how to do this after posting the comment (you need to just avoid meta characters and use [0-9] for \d etc. I'm going to post this as a comment on the token usage documentation as it would have saved me a few hours :-).

0 Karma

lguinn2
Legend

I strongly suggest that you use the XML CDATA construct to simplify these problems.
Surrounding text with <![CDATA[and ]]> means that you don't have to worry about XML munging your special characters. You don't need to use &quot; and friends. (You do still need to worry about how Splunk interprets the special characters...)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you indent each line of your XML 4 spaces, the editor will preserve special characters. I made the change for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mydog8it
Builder

Thanks for the edit!

0 Karma

ppablo
Retired

Hi @mydog8it (just got the cleverness of your username after typing it out ;P)

Just so you know, you're welcome to post the URL to docs you're referring to, even without enough karma. They won't render as links, but at least people can see exactly what page(s) you're referring to or copy and paste it themselves.

Cheers!
Patrick

0 Karma

mydog8it
Builder

Thanks Patrick!
Here is the path to Evaluation Functions documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/CommonEvalFunctions
do a find for "match(SUBJECT, "REGEX")"

Here is the path to the v6.3 Simple XML reference docs:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML
do a find for "match"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried escaping the quotes inside your match command?

---
If this reply helps you, Karma would be appreciated.
0 Karma

mydog8it
Builder

I'm using the ascii text for quotes in my xml. The posting process interpreted them and is displaying the quotes. I introduced spaces in to the ascii text and they do not get interpreted ... match="match(value, & quot ;d{1,3}.d{1,3}.d{1,3}.d{1,3}& quot ;)">

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm suggesting you should try match(value, \"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\").

---
If this reply helps you, Karma would be appreciated.
0 Karma

mydog8it
Builder

The dashboard tool will not save with that syntax.
"Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 15: Extra content at the end of the document "

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...