Splunk Search
Highlighted

How do you remove special characters from a token?

Communicator

What would be the easiest one line solution to remove special characters from a token?

I'm taking a text input (mac addresses like 00:1B:44:11:3A:B7) from the user, & 1 source type uses the exact address & another source type has no ":" in the address.

I'm using the token as the complete search item (does the search content have a imbedded variable?).

When I do things like add a token to an eval command, it doesn't work. It seems like there should be an easier way to get around this problem.

0 Karma
Highlighted

Re: How do you remove special characters from a token?

Splunk Employee
Splunk Employee

Your question would benefit from an added example to make it clearer.

0 Karma
Highlighted

Re: How do you remove special characters from a token?

SplunkTrust
SplunkTrust

HI @clintla

When using tokens on dashboards, you should use the token escape sequence $my_token|s$

The |s is the extra part that will add double quotes and take care of escaping for you.

Here is the relevant documentation: https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Token_filters

I hope this is helpful

0 Karma
Highlighted

Re: How do you remove special characters from a token?

Communicator

I guess at the simplest part of this is how can I remove all ":" from a mac address & pass it on to another panel?

I dont think escapes will work due to its not a quote, Not sure how to escape would work in any case scenerio since ":"'s are throughout the string.

0 Karma
Highlighted

Re: How do you remove special characters from a token?

SplunkTrust
SplunkTrust

What about this: YOUR_SEARCH | eval mac_full = "$token$" | eval mac_short = mac_full | rex field=mac_short mode=sed "s/://g""

0 Karma
Highlighted

Re: How do you remove special characters from a token?

Splunk Employee
Splunk Employee

You could use eval tokens:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/tokens#Define_token_filtering_and_formatting

For example:

<eval token="new_token">replace('mac_address_token', ":", "")</eval>
Highlighted

Re: How do you remove special characters from a token?

Communicator

"This seems like it would work

I insert w/ stanza

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

replace($WWN1$, ":","") searchWhenChanged="true"

but 2 things are happening.
1- Splunk decides when I refresh the dashboard to re-arrange my code

replace($WWN1$, ":","") searchWhenChanged="true"

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

2- it works after I hit "save" when I put the new stanza after the input.. but if I insert another WWN
it never update, if I refresh the page, splunk inverts the code again. "

0 Karma