Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is eval in my Simple XML not working to set and return certain token values?

blurblebot
Communicator
‎11-22-2016 07:56 AM

I've been having trouble trying to strptime a timestamp entered as an input for a dashboard, and had gotten strange results, so I've backed up and have tried to test some of the XML functions with more simple cases to see where I'm going wrong.

Unfortunately, I've made some test cases as simple as I can make them, and still something is wrong with my evals. I just can't sort it out.

If I enter, say "giraffe" into my input for the form described below, the only token that returns is the $newname$ token. $uCase$ and $leno$ both return "null"

With my test evals being so short, it has to (has to has to) be something simple, but I can't figure it out.

Pliz halp.

 <form>
      <label>TimeTestTakeThree</label>
      <fieldset submitButton="true">
        <input type="text" token="newname">
          <label>labelrino</label>
          <default>giraffe</default>
          <change>
            <eval token="Ucase">upper('newname')</eval>
            <eval token="leno">len('newname')</eval>
          </change>
        </input>
      </fieldset>
       <row>
             <html>
                 <p>Raw Entry: <b>$newname$</b></p>
                 <p>Upper(raw):<b>$Ucase$</b></p>
               <p>Length(raw): <b>$leno$</b></p>
             </html>
         </row>
    </form>
Reply

ro_mc
Path Finder
‎11-05-2021 02:40 AM

I realise this is a post from 2016, but I noticed that the <input> uses a <default> value rather than the recommended <initial> value per the Splunk docs (for the current version of 8.2.3), which may help others while troubleshooting this or similar issues on newer Splunk versions.

https://docs.splunk.com/Documentation/Splunk/8.2.3/Viz/FormEditor#Configure_input_value_handling

0 Karma
Reply

rjthibod
Champion
‎02-22-2017 05:51 AM

Try using the built-in token value instead of newname in the change block. 

<form>
  <label>TimeTestTakeThree</label>
  <fieldset submitButton="true">
    <input type="text" token="newname">
      <label>labelrino</label>
      <default>giraffe</default>
      <change>
        <eval token="Ucase">upper('value')</eval>
        <eval token="leno">len('value')</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
      <p>Raw Entry: <b>$newname$</b></p>
      <p>Upper(raw):<b>$Ucase$</b></p>
      <p>Length(raw): <b>$leno$</b></p>
    </html>
  </row>
</form>
Reply

Treep
Explorer
‎02-22-2017 04:59 AM

Hi, did you manage to find a solution to this yet? I have almost exactly the same problem, only that using $tokenname$ or 'tokenname' doesn't give me anything (isn't replaced by token value) and just using tokenname without $ or ' only results in 0 or "null".

0 Karma
Reply

nfilippi_splunk
Splunk Employee
Splunk Employee
‎11-23-2016 07:51 AM

Try this:

<form>
  <label>TimeTestTakeThree</label>

  <fieldset submitButton="true">
    <input type="text" token="newname">
      <label>labelrino</label>
      <default>giraffe</default>
      <change>
        <eval token="ucaseSetToken">upper('newname')</eval>
      </change>
    </input>
  </fieldset>

  <row>
    <panel>
      <html>
        <p>upperSetToken:<b>$ucaseSetToken$</b></p>
      </html>
    </panel>
  </row>

</form>
0 Karma
Reply

niketn
Legend
‎11-22-2016 08:12 AM

Correct the following in your change event handler

   <change>
     <eval token="Ucase">upper($newname$)</eval>
     <eval token="leno">len($newname$)</eval>
   </change>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

blurblebot
Communicator
‎11-22-2016 09:03 AM

Tried already. Still comes back null.

   <form>
      <label>TimeTestTakeThree</label>
      <fieldset submitButton="true">
        <input type="text" token="newname">
          <label>labelrino</label>
          <default>giraffe</default>
          <change>
            <eval token="ucaseSetToken">upper($newname$)</eval>
          </change>
        </input>
      </fieldset>
       <row>
             <html>
                 <p>upperSetToken:<b>$ucaseSetToken$</b></p>
             </html>
         </row>
    </form>
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...