- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set a token with eval?
data:image/s3,"s3://crabby-images/9a21a/9a21a71bf5bd81720be757df18b9c19ba90e3be2" alt="jamesmarlowww jamesmarlowww"
I'm trying to set a token with eval. However, my logic doesn't seem to be working. I haven't been able to find a working example in the docs or from Answers, so a nudge in the right direction would be appreciated
<input type="text" token="stuff">
<label>test</label>
<default>bband</default>
<change>
<eval token="stuff">replace($stuff$, ",", " OR ACCOUNT_NO=")</eval>
</change>
</input>
Have also tried using '
chars instead of $
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9dd94/9dd94b2e112752e754d596f78e5ce328b89fc899" alt="woodcock woodcock"
Check out eval token
here:
https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below should work -
<eval token="stuff">replace('value', ",", " OR ACCOUNT_NO=")</eval>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Even i am facing the related issue.
<condition field="_raw">
<set token="serv">$serv$</set>
<set token="src">$row.source$</set>
<eval token="srcEval">rtrim('src',"_txn_log")</eval>
<set token="uri">$row.uri$</set>
<set token="_raw">$click.value2$</set>
</condition>
I am trying to set token(srcEval) by using eval command..but it is not working ...Could you help ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9a21a/9a21a71bf5bd81720be757df18b9c19ba90e3be2" alt="jamesmarlowww jamesmarlowww"
Have you tried
rtrim(src,"_txn_log")
Without the ' char?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried $value$ instead of $stuff$?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9a21a/9a21a71bf5bd81720be757df18b9c19ba90e3be2" alt="jamesmarlowww jamesmarlowww"
From my comments above, it looks like I got it mostly working like this
<eval token="stuff">replace(stuff, ",", " OR ACCOUNT_NO=")</eval>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9a21a/9a21a71bf5bd81720be757df18b9c19ba90e3be2" alt="jamesmarlowww jamesmarlowww"
Yeah I think differences between the SPL eval and XML eval is what is causing different results.
"It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript."
Anyways thanks @frobinson_splunk and @aljohnson_splunk for your time and advice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/39639/39639cbeba72e7d68ebf12645da98660ed33d3b3" alt="Raghav2384 Raghav2384"
I have used eval previously to straighten out a user input and then normalize the data. My case was, user enters a MAC address (Since it users, could be in any of the know MAC address formats), so we assigned the entry to a token, then applied eval to format it to our comfort. This was done in the search though. Just posting it in hope that it will give you some more ideas
[search index=blah | eval MacAddress=$MAC|s$|eval MAC=replace(MacAddress,"([-:\.])","")|return MAC]
| wrapped in a subsearch which finally feeds the normalized MAC back to parent search.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/22604/22604619ae972978767451eb9c8411dc8412662f" alt="frobinson_splun frobinson_splun"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Hi @jamesmarloww,
I'm not sure of all of the details of the result you are trying to create with "eval" and a token. In case it helps, "eval" expressions in dashboards do use the same syntax as SPL "eval", but there are some exceptions to their behavior and usage (including the regular expression library). See:
http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/tokens#Custom_logic_for_dashboards
for notes on how dashboard "eval" differs from SPL eval:
http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Eval
Also, have you seen the eval example in the Dashboard Examples App?
https://splunkbase.splunk.com/app/1603/
Hope this helps,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9a21a/9a21a71bf5bd81720be757df18b9c19ba90e3be2" alt="jamesmarlowww jamesmarlowww"
Thanks. Have now... seems to be half working. But my replace function is only picking up the first occurance. Unlike using it in splunk search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/42edf/42edf6531b4a769f74271e4714646c2920aa1483" alt="mikaelbje mikaelbje"
Did you get this to work? My eval token is only replacing the first occurence too. On 6.5.1 with the following where I try to change:
index=bla OR index=foo
To
bla,foo
by using:
<input type="multiselect" token="tenant_indexes" depends="$multi_tenancy$">
<change>
<eval token="tenant_indexes_filter">replace(replace(tenant_indexes,"index=","")," OR ",",")</eval>
</change>
<label>Tenant</label>
<fieldForLabel>tenant_name</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| `get_tenants_for_user_role($env:user$)`</query>
</search>
<default>index=*</default>
<delimiter> OR </delimiter>
<choice value="index=*">All</choice>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/c46d2/c46d2b1b75321e87dcc3fe6c66db47032d30dcf6" alt="aljohnson_splun aljohnson_splun"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Did you try no chars?
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""