Splunk Search

How do you remove special characters from a token?

clintla
Contributor

What would be the easiest one line solution to remove special characters from a token?

I'm taking a text input (mac addresses like 00:1B:44:11:3A:B7) from the user, & 1 source type uses the exact address & another source type has no ":" in the address.

I'm using the token as the complete search item (does the search content have a imbedded variable?).

When I do things like add a token to an eval command, it doesn't work. It seems like there should be an easier way to get around this problem.

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

You could use eval tokens:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/tokens#Define_token_filtering_and_formatting

For example:

<eval token="new_token">replace('mac_address_token', ":", "")</eval>

clintla
Contributor

"This seems like it would work

I insert w/ stanza

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

replace($WWN1$, ":","") searchWhenChanged="true"

but 2 things are happening.
1- Splunk decides when I refresh the dashboard to re-arrange my code

replace($WWN1$, ":","") searchWhenChanged="true"

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

2- it works after I hit "save" when I put the new stanza after the input.. but if I insert another WWN
it never update, if I refresh the page, splunk inverts the code again. "

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

What about this: YOUR_SEARCH | eval mac_full = "$token$" | eval mac_short = mac_full | rex field=mac_short mode=sed "s/://g""

0 Karma

clintla
Contributor

I guess at the simplest part of this is how can I remove all ":" from a mac address & pass it on to another panel?

I dont think escapes will work due to its not a quote, Not sure how to escape would work in any case scenerio since ":"'s are throughout the string.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

HI @clintla

When using tokens on dashboards, you should use the token escape sequence $my_token|s$

The |s is the extra part that will add double quotes and take care of escaping for you.

Here is the relevant documentation: https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Token_filters

I hope this is helpful

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

Your question would benefit from an added example to make it clearer.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...