- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set a token with eval?

I'm trying to set a token with eval. However, my logic doesn't seem to be working. I haven't been able to find a working example in the docs or from Answers, so a nudge in the right direction would be appreciated
<input type="text" token="stuff">
<label>test</label>
<default>bband</default>
<change>
<eval token="stuff">replace($stuff$, ",", " OR ACCOUNT_NO=")</eval>
</change>
</input>
Have also tried using '
chars instead of $
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Check out eval token
here:
https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below should work -
<eval token="stuff">replace('value', ",", " OR ACCOUNT_NO=")</eval>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Even i am facing the related issue.
<condition field="_raw">
<set token="serv">$serv$</set>
<set token="src">$row.source$</set>
<eval token="srcEval">rtrim('src',"_txn_log")</eval>
<set token="uri">$row.uri$</set>
<set token="_raw">$click.value2$</set>
</condition>
I am trying to set token(srcEval) by using eval command..but it is not working ...Could you help ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Have you tried
rtrim(src,"_txn_log")
Without the ' char?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried $value$ instead of $stuff$?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

From my comments above, it looks like I got it mostly working like this
<eval token="stuff">replace(stuff, ",", " OR ACCOUNT_NO=")</eval>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Yeah I think differences between the SPL eval and XML eval is what is causing different results.
"It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript."
Anyways thanks @frobinson_splunk and @aljohnson_splunk for your time and advice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

I have used eval previously to straighten out a user input and then normalize the data. My case was, user enters a MAC address (Since it users, could be in any of the know MAC address formats), so we assigned the entry to a token, then applied eval to format it to our comfort. This was done in the search though. Just posting it in hope that it will give you some more ideas
[search index=blah | eval MacAddress=$MAC|s$|eval MAC=replace(MacAddress,"([-:\.])","")|return MAC]
| wrapped in a subsearch which finally feeds the normalized MAC back to parent search.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @jamesmarloww,
I'm not sure of all of the details of the result you are trying to create with "eval" and a token. In case it helps, "eval" expressions in dashboards do use the same syntax as SPL "eval", but there are some exceptions to their behavior and usage (including the regular expression library). See:
http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/tokens#Custom_logic_for_dashboards
for notes on how dashboard "eval" differs from SPL eval:
http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Eval
Also, have you seen the eval example in the Dashboard Examples App?
https://splunkbase.splunk.com/app/1603/
Hope this helps,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Thanks. Have now... seems to be half working. But my replace function is only picking up the first occurance. Unlike using it in splunk search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Did you get this to work? My eval token is only replacing the first occurence too. On 6.5.1 with the following where I try to change:
index=bla OR index=foo
To
bla,foo
by using:
<input type="multiselect" token="tenant_indexes" depends="$multi_tenancy$">
<change>
<eval token="tenant_indexes_filter">replace(replace(tenant_indexes,"index=","")," OR ",",")</eval>
</change>
<label>Tenant</label>
<fieldForLabel>tenant_name</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| `get_tenants_for_user_role($env:user$)`</query>
</search>
<default>index=*</default>
<delimiter> OR </delimiter>
<choice value="index=*">All</choice>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Did you try no chars?
