Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you remove special characters from a token?

clintla
Contributor
‎02-05-2019 06:11 AM

What would be the easiest one line solution to remove special characters from a token?

I'm taking a text input (mac addresses like 00:1B:44:11:3A:B7) from the user, & 1 source type uses the exact address & another source type has no ":" in the address.

I'm using the token as the complete search item (does the search content have a imbedded variable?).

When I do things like add a token to an eval command, it doesn't work. It seems like there should be an easier way to get around this problem.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-06-2019 11:19 AM

You could use eval tokens:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/tokens#Define_token_filtering_and_formatting

For example:

<eval token="new_token">replace('mac_address_token', ":", "")</eval>
Reply

clintla
Contributor
‎02-27-2019 11:11 AM

"This seems like it would work

I insert w/ stanza

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

replace($WWN1$, ":","") searchWhenChanged="true"

but 2 things are happening.
1- Splunk decides when I refresh the dashboard to re-arrange my code

replace($WWN1$, ":","") searchWhenChanged="true" 

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

2- it works after I hit "save" when I put the new stanza after the input.. but if I insert another WWN
it never update, if I refresh the page, splunk inverts the code again. "

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 11:01 AM

What about this: YOUR_SEARCH | eval mac_full = "$token$" | eval mac_short = mac_full | rex field=mac_short mode=sed "s/://g""

0 Karma
Reply

clintla
Contributor
‎02-06-2019 10:07 AM

I guess at the simplest part of this is how can I remove all ":" from a mac address & pass it on to another panel?

I dont think escapes will work due to its not a quote, Not sure how to escape would work in any case scenerio since ":"'s are throughout the string.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 10:12 AM

HI @clintla

When using tokens on dashboards, you should use the token escape sequence $my_token|s$

The |s is the extra part that will add double quotes and take care of escaping for you.

Here is the relevant documentation: https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Token_filters

I hope this is helpful

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-05-2019 07:02 AM

Your question would benefit from an added example to make it clearer.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...