Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you add a custom eval function or a macro t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you add a custom eval function or a macro to a custom app search?
christophercorb
New Member
01-30-2019
04:59 AM
Hi,
I am currently struggling with a problem. I am implementing custom views within a custom app that has one input field as text. That field can contain a URL. When submitting the form, I trigger 3 different searches in dashboards. Problem — some searches only need the hostname, while others need the complete URL. So I did research on that and was able to achieve a solution that I consider a dirty/bad one. I added some javascript and a second token, hook into the submit button click and extract the hostname out of the given URL and set the new token with that value. There are some timing problems as well.
There are several macros/functions available like md5() or len(). So I was wondering if it was possible to add a custom function - something like "index=* sourcetype=whatever TERM(extract_host($url$))" where extract_host calls a Python function that takes the token as an input and returns a new string that replaces the function call in the search ,and after that, the search is executed.
Or something like "eval host=extract_host($url$) | index=* sourcetype=whatever TERM(host)" ?
I could not find a way to solve that problem other than using a very bad javascript solution. Any ideas?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-30-2019
07:09 AM
Like this:
<eval token="my_host">replace(replace($url$, "Prefix RegEx Here", null()), "Suffix RegEx Here", null())</eval>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
christophercorb
New Member
01-31-2019
01:45 AM
Hey. Thanks for your answer. The replace part works when I try it in the search , but with "" instead of null().
But where do I have to put the line in the simple xml tree? I tried it in >/change> but it does not work. I then tried a statement in the change child and that worked. So could you or anyone provide a full example please?
I could not find anything helpful in the splunk documentation or website.
<eval token="my_host">replace(replace($url$, "(https:\/\/|http:\/\/)?", ""), "\/(.*)", "")</eval>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-12-2019
09:16 PM
You can put it just about anywhere. The most common are between <preview>...</preview>, ...and ... `.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
