Splunk Search

How to get rid of the the spaces in token output?

tlmayes
Contributor

Trying to run a query that has a token field.  The output injects a space before and after the token provided keyword, which breaks the query..  Simple, but baffling. 

Original query

 

 

|inputlookup somelookup.csv
| eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="*$token$*"
| table field1, field2, field3

 

 

Output of query

 

 

|inputlookup somelookup.csv
| eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ] | search raw="* <keyword> *"
| table field1, field2, field3

 

 

 

How do I get rid of the spaces before and after the keyword?

Labels (1)
0 Karma
1 Solution

tlmayes
Contributor

For all that responded, appreciate your responses.  I removed EVERYTHING between the '| inputputlook" call and the table output and replaced with something as simple as: 

|inputlookup somelookup.csv
| search field1=$token$
| table field1, field2, field3

 The output still contains a space before and after the token value. 

BTW, the original token value was a value pulled from a look.  I also tried using a "static" value.  In all cases there is a space before and after

View solution in original post

0 Karma

tlmayes
Contributor

For all that responded, appreciate your responses.  I removed EVERYTHING between the '| inputputlook" call and the table output and replaced with something as simple as: 

|inputlookup somelookup.csv
| search field1=$token$
| table field1, field2, field3

 The output still contains a space before and after the token value. 

BTW, the original token value was a value pulled from a look.  I also tried using a "static" value.  In all cases there is a space before and after

0 Karma

yuanliu
SplunkTrust
SplunkTrust

I also tried using a "static" value.  In all cases there is a space before and after

If static value still cause space before and after, maybe they are introduced inadvertently in token prefix and suffix.  Inspect Simple XML Source ("Source" in editor), see if there are elements like

      <prefix> </prefix>
      <suffix> </suffix>

in the <input/> entity. (I used this to simulate your condition when testing solution.) 

Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Although you may be able to rid the spaces after they have been passed to your panel, it would be much better if you examine the input to figure out why the token has to pass spaces.  Are spaces expected in some other panels?

0 Karma

tlmayes
Contributor

The query involves only two components:  an input keyword provided by a static list of tokens form a dashboard input, and the master lookup table in the original query. 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The query involves only two components:  an input keyword provided by a static list of tokens form a dashboard input, and the master lookup table in the original query. 

Meaning that you cannot redo the static input?  Unless the spaces are useful in some context, why not get rid of them in input?

This said, a quick fix can be to switch from search to where command, trim() spaces from $token$.

 

|inputlookup somelookup.csv
| eval raw="" | foreach * [eval raw=raw.",".coalesce('<<FIELD>>',"") ]
| where raw LIKE "%".trim("$token$")."%"
| table field1, field2, field3

 

 

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...