Splunk Search

How to set a token with eval?

Path Finder

I'm trying to set a token with eval. However, my logic doesn't seem to be working. I haven't been able to find a working example in the docs or from Answers, so a nudge in the right direction would be appreciated

  <input type="text" token="stuff">
    <eval token="stuff">replace($stuff$, ",", " OR ACCOUNT_NO=")</eval>

Have also tried using ' chars instead of $

Esteemed Legend
0 Karma


Below should work -

 <eval token="stuff">replace('value', ",", " OR ACCOUNT_NO=")</eval>

New Member

Hi ,

Even i am facing the related issue.

        <condition field="_raw">
        <set token="serv">$serv$</set>
        <set token="src">$row.source$</set>

       <eval token="srcEval">rtrim('src',"_txn_log")</eval> 

        <set token="uri">$row.uri$</set>
        <set token="_raw">$click.value2$</set>

I am trying to set token(srcEval) by using eval command..but it is not working ...Could you help ??

0 Karma

Path Finder

Have you tried


Without the ' char?

0 Karma


Have you tried $value$ instead of $stuff$?

0 Karma

Path Finder

From my comments above, it looks like I got it mostly working like this

     <eval token="stuff">replace(stuff, ",", " OR ACCOUNT_NO=")</eval>
0 Karma

Path Finder

Yeah I think differences between the SPL eval and XML eval is what is causing different results.

"It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript."

Anyways thanks @frobinson_splunk and @aljohnson_splunk for your time and advice


I have used eval previously to straighten out a user input and then normalize the data. My case was, user enters a MAC address (Since it users, could be in any of the know MAC address formats), so we assigned the entry to a token, then applied eval to format it to our comfort. This was done in the search though. Just posting it in hope that it will give you some more ideas

[search index=blah | eval MacAddress=$MAC|s$|eval MAC=replace(MacAddress,"([-:\.])","")|return MAC]| wrapped in a subsearch which finally feeds the normalized MAC back to parent search.


0 Karma

Splunk Employee
Splunk Employee

Hi @jamesmarloww,
I'm not sure of all of the details of the result you are trying to create with "eval" and a token. In case it helps, "eval" expressions in dashboards do use the same syntax as SPL "eval", but there are some exceptions to their behavior and usage (including the regular expression library). See:

for notes on how dashboard "eval" differs from SPL eval:

Also, have you seen the eval example in the Dashboard Examples App?

Hope this helps,

Path Finder

Thanks. Have now... seems to be half working. But my replace function is only picking up the first occurance. Unlike using it in splunk search

0 Karma


Did you get this to work? My eval token is only replacing the first occurence too. On 6.5.1 with the following where I try to change:

index=bla OR index=foo



by using:

    <input type="multiselect" token="tenant_indexes" depends="$multi_tenancy$">
        <eval token="tenant_indexes_filter">replace(replace(tenant_indexes,"index=","")," OR ",",")</eval>
        <query>| `get_tenants_for_user_role($env:user$)`</query>
      <delimiter> OR </delimiter>
      <choice value="index=*">All</choice>
0 Karma

Splunk Employee
Splunk Employee

Did you try no chars?

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!