Splunk Search

Replace Function when used in token eval does not behave as in search

gdiogo
Explorer

I simply wish to prove that point since it wasn't quite established in the several topics I have read about this problem.
(In case you were condering, I use Splunk 6.4.1)
The replace function used in eval to evaluate a token DOES NOT BEHAVE accordingly to what it is supposed to do (which is successfully conducted in the search...) !

THERE IS A HUGE DISCREPANCY BETWEEN REPLACE USED IN A EVAL MADE IN SEARCH VS ONE MADE IN BASIC XML EVAL TAGS

So here it is :
(Try it, it is quite compelling)
This is quite evidently a major dysfunction !!

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
      </change>
      <default>ac23ghzz</default>
    </input>
  </fieldset>
  <row>
    <html>
      Input : $test.input$ &lt;br/&gt;
      Result of eval Token : $test.input.processed$   &lt;br/&gt;
      Result of simplified eval Token : $test.input.processed_more_simple$   &lt;br/&gt;
    </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| gentimes start=-1 | eval input = "$test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

So appart from trying to report this issue, I strongly hope for someone to be able to give me a tip and give me a way to accomplish successfully this functionnality with the current state of things.

Thanks in advance 🙂

0 Karma
1 Solution

gdiogo
Explorer

After thinking about it, a quite obvious solution is to use a hidden select to run the actual search that I knew worked haha 🙂
So I guess I didn't need to complain about this ! 🙂
Well anyway, in case it is usefull for someone :

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
        <unset token="form.hidden.test.input"></unset><!-- To select first choice anew ! 😉 -->
      </change>
      <default>ac23ghzz</default>
    </input>
    <input type="dropdown" token="hidden.test.input" depends="$never_shown$" searchWhenChanged="true">
      <label>Hidden</label>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| makeresults | eval input = "$form.test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1") | eval final_result ='Simplified Result'.";".result</query>
      </search>
      <fieldForLabel>final_result</fieldForLabel>
      <fieldForValue>final_result</fieldForValue>
      <change>
        <eval token="test.workinginput.processed">mvindex(split($value$, ";"), 0)</eval>
        <eval token="test.workinginput.processed_more_simple">mvindex(split($value$, ";"), 1)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
       Input : $test.input$ .......................
       Result of eval Token : $test.input.processed$ .......................
       Result of simplified eval Token : $test.input.processed_more_simple$ .......................
       Result of simplified eval Token through trick : $test.workinginput.processed$ .......................
       Result of eval Token through trick : $test.workinginput.processed_more_simple$ .......................
     </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| makeresults | eval input = "$test.input$" | table input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

0 Karma

gdiogo
Explorer

After thinking about it, a quite obvious solution is to use a hidden select to run the actual search that I knew worked haha 🙂
So I guess I didn't need to complain about this ! 🙂
Well anyway, in case it is usefull for someone :

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
        <unset token="form.hidden.test.input"></unset><!-- To select first choice anew ! 😉 -->
      </change>
      <default>ac23ghzz</default>
    </input>
    <input type="dropdown" token="hidden.test.input" depends="$never_shown$" searchWhenChanged="true">
      <label>Hidden</label>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| makeresults | eval input = "$form.test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1") | eval final_result ='Simplified Result'.";".result</query>
      </search>
      <fieldForLabel>final_result</fieldForLabel>
      <fieldForValue>final_result</fieldForValue>
      <change>
        <eval token="test.workinginput.processed">mvindex(split($value$, ";"), 0)</eval>
        <eval token="test.workinginput.processed_more_simple">mvindex(split($value$, ";"), 1)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
       Input : $test.input$ .......................
       Result of eval Token : $test.input.processed$ .......................
       Result of simplified eval Token : $test.input.processed_more_simple$ .......................
       Result of simplified eval Token through trick : $test.workinginput.processed$ .......................
       Result of eval Token through trick : $test.workinginput.processed_more_simple$ .......................
     </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| makeresults | eval input = "$test.input$" | table input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

gdiogo
Explorer

Sorry for the mistake in formatting : in html tag, should be <br/>
:S

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...