Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do we edit the format of a token value before it is passed to a search?

avanthi1823
New Member
‎10-26-2015 09:10 PM

Experts,

We have a input form which expects a UID type of data from users. There are few known formats to UID, like: abcd:efgh:ijkl OR ab-cd-ef-gh-ij-kl OR ab:cd:ef:gh:ij:kl OR ab.cd.ef.gh.ij.kl

User can enter any one of these formats which we grab to the token "fix". We then want to straighten the user input by removing -,:,.

Example: 

index=abc source=xyz fix=search[|eval fix="$fix$"|eval fix1 = upper(replace(fix,"([-:\.])",""))|return fix1]

This is not working. It keeps saying that it didn't find any results. If I just use: 

index=abc source=xyz |eval fix = upper(replace(Original_field,"([-:\.])"),"")

it straightens out and gives the desired output: ABDCDEFGHIJKL

Note: Original_field is what actually holds the abcd:efgh:ijkl OR ab-cd-ef-gh-ij-kl OR ab:cd:ef:gh:ij:kl OR ab.cd.ef.gh.ij.kl patterns. We have created "Fix" as a Field Extraction to straighten out data from the Backend. Since we can't anticipate what format the user is going to enter, we want to grab it anyway and straighten it out and pass it to the search from the front-end as well. I have been searching and found couple of answers

https://answers.splunk.com/answers/127021/manipulate-a-token-string-in-a-form.html

but no luck.

Thanks in advance
Avanthi

0 Karma
Reply

somesoni2
Revered Legend
‎10-27-2015 12:20 PM

Try something like this

 index=abc source=xyz fix=search[| noop |eval fix="$fix$"|eval fix1 = upper(replace(fix,"([-:\.])",""))|return fix1]

Update Didn't test that | noop doesn't work for this purpose.

 index=abc source=xyz fix=search[| gentimes start=-1 |eval fix="$fix$"|eval fix1 = upper(replace(fix,"([-:\.])",""))|return fix1]
0 Karma
Reply

wpreston
Motivator
‎10-27-2015 12:24 PM

It looks like noop is an undocumented command. Would you mind giving a quick rundown of what it does? I'd like to learn...

0 Karma
Reply

somesoni2
Revered Legend
‎10-27-2015 01:32 PM

I saw someone used noop in the same way so though of suggesting with it. It's indeed not documented but some details available here.

https://answers.splunk.com/answers/241584/splunk-should-upgrade-the-noop-command-to-take-a-s.html

Reply

wpreston
Motivator
‎10-27-2015 12:09 PM

Would making the value of fix=$fix$ a subsearch accomplish what you need?

index=abc source=xyz [search | stats count |eval fix="$fix$"|eval fix = upper(replace(fix,"([-:\.])",""))| fields - count]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...