Splunk Search

How to set a token with eval?

jamesmarlowww
Path Finder

I'm trying to set a token with eval. However, my logic doesn't seem to be working. I haven't been able to find a working example in the docs or from Answers, so a nudge in the right direction would be appreciated

  <input type="text" token="stuff">
 <label>test</label>
 <default>bband</default>
 <change>
    <eval token="stuff">replace($stuff$, ",", " OR ACCOUNT_NO=")</eval>
 </change>
</input>

Have also tried using ' chars instead of $

woodcock
Esteemed Legend
0 Karma

dineshraj9
Builder

Below should work -

 <eval token="stuff">replace('value', ",", " OR ACCOUNT_NO=")</eval>

SwamyRaj
New Member

Hi ,

Even i am facing the related issue.

        <condition field="_raw">
        <set token="serv">$serv$</set>
        <set token="src">$row.source$</set>

       <eval token="srcEval">rtrim('src',"_txn_log")</eval> 

        <set token="uri">$row.uri$</set>
        <set token="_raw">$click.value2$</set>
       </condition>

I am trying to set token(srcEval) by using eval command..but it is not working ...Could you help ??

0 Karma

jamesmarlowww
Path Finder

Have you tried

rtrim(src,"_txn_log")

Without the ' char?

0 Karma

13yqiao
Engager

Have you tried $value$ instead of $stuff$?

0 Karma

jamesmarlowww
Path Finder

From my comments above, it looks like I got it mostly working like this

     <eval token="stuff">replace(stuff, ",", " OR ACCOUNT_NO=")</eval>
0 Karma

jamesmarlowww
Path Finder

Yeah I think differences between the SPL eval and XML eval is what is causing different results.

"It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript."

Anyways thanks @frobinson_splunk and @aljohnson_splunk for your time and advice

Raghav2384
Motivator

I have used eval previously to straighten out a user input and then normalize the data. My case was, user enters a MAC address (Since it users, could be in any of the know MAC address formats), so we assigned the entry to a token, then applied eval to format it to our comfort. This was done in the search though. Just posting it in hope that it will give you some more ideas

[search index=blah | eval MacAddress=$MAC|s$|eval MAC=replace(MacAddress,"([-:\.])","")|return MAC]| wrapped in a subsearch which finally feeds the normalized MAC back to parent search.

Thanks,
Raghav

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @jamesmarloww,
I'm not sure of all of the details of the result you are trying to create with "eval" and a token. In case it helps, "eval" expressions in dashboards do use the same syntax as SPL "eval", but there are some exceptions to their behavior and usage (including the regular expression library). See:
http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/tokens#Custom_logic_for_dashboards

for notes on how dashboard "eval" differs from SPL eval:
http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Eval

Also, have you seen the eval example in the Dashboard Examples App?
https://splunkbase.splunk.com/app/1603/

Hope this helps,

jamesmarlowww
Path Finder

Thanks. Have now... seems to be half working. But my replace function is only picking up the first occurance. Unlike using it in splunk search

0 Karma

mikaelbje
Motivator

Did you get this to work? My eval token is only replacing the first occurence too. On 6.5.1 with the following where I try to change:

index=bla OR index=foo

To

bla,foo

by using:

    <input type="multiselect" token="tenant_indexes" depends="$multi_tenancy$">
      <change>
        <eval token="tenant_indexes_filter">replace(replace(tenant_indexes,"index=","")," OR ",",")</eval>
      </change>
      <label>Tenant</label>
      <fieldForLabel>tenant_name</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <search>
        <query>| `get_tenants_for_user_role($env:user$)`</query>
      </search>
      <default>index=*</default>
      <delimiter> OR </delimiter>
      <choice value="index=*">All</choice>
    </input>
0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Did you try no chars?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...