Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I escape backslash in a token to modify a search?

waltz
Explorer
‎07-07-2017 06:09 AM

I have a search which sometimes I want to do an append, and sometimes not - this should be driven by a dropdown in the GUI. The optional append looks like this:

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")

I have defined a Dropdown like this:

< input type="dropdown" token="tzz" searchWhenChanged="true">
         < choice value="| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); } >TZ< /choice>
< /input>

And $tzz$ goes at the end of my main search.

My problem is that backslashes or rather \d in | rex field=time_offset ".(?\d{2}:\d{2})" | are not accepted inside the token value. Is there a way of escaping them?

Thank you.

Edit(Added):

EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}

This is how I set my token and I have to escape \d in the rex field portion.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-08-2017 11:33 AM

Enclose the entire search string in a CDATA tag, like this:

< input type="dropdown" token="tzz" searchWhenChanged="true">
   < choice value="![CDATA[| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); }]]>TZ< /choice>
< /input>
0 Karma
Reply

somesoni2
Revered Legend
‎07-07-2017 06:51 AM

How about this?

< input type="dropdown" token="tzz" searchWhenChanged="true">
< choice value=" | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?&lt;time_offset_seconds&gt;\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | >TZ< /choice> < /input>
0 Karma
Reply

waltz
Explorer
‎07-07-2017 07:04 AM

EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}

This is how I set my token and I have to escape \d in the rex field portion.

0 Karma
Reply

somesoni2
Revered Legend
‎07-07-2017 07:17 AM

can you try updated query (replacing < and > with corresponding html code.)

0 Karma
Reply

waltz
Explorer
‎07-07-2017 07:27 AM

The query which I had provided earlier was a dummy one @somesoni2 . This is the actual one :

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")

I need the modifed token of the corresponding html code .

0 Karma
Reply

somesoni2
Revered Legend
‎07-07-2017 07:36 AM

Try with this:

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?&lt;time_offset_seconds&gt;\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")
0 Karma
Reply

cmerriman
Super Champion
‎07-07-2017 06:15 AM

try doing $tzz|s$ in your search. to encompass it all in quotes?

0 Karma
Reply

waltz
Explorer
‎07-07-2017 06:22 AM

Yeah, I did try that @cmerriman. But my search would end up like this: index = myindex| "| eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" " which would not yield results to me (throws out an error) .

0 Karma
Reply

cmerriman
Super Champion
‎07-07-2017 06:36 AM

i just created this token in a test dashboard and receive this error. I didn't escape anything but it came out just fine when i opened it in search.
Error in 'rex' command: Encountered the following error while compiling the regex '.(?\d{2}:\d{2})': Regex: unrecognized character after (? or (?-
the regex is looking for a naming group

| rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})"
0 Karma
Reply

waltz
Explorer
‎07-07-2017 06:44 AM

Yes, that's what! The regex works fine in a search, but in the dashboard it seems like I have to escape the backslash. Btw, this is not the entire token search which I'm gonna append after my primary search,it's just a small snippet from the token.

0 Karma
Reply

rjthibod
Champion
‎07-07-2017 06:19 AM

@waltz, here is the relevant docs page: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters

0 Karma
Reply

waltz
Explorer
‎07-07-2017 06:46 AM

Thanks you @rjthibod, I did refer this docs page and try them out. But it wouldn't escape the backslash in my token.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...