Splunk Search

Why is eval in my Simple XML not working to set and return certain token values?

blurblebot
Communicator

I've been having trouble trying to strptime a timestamp entered as an input for a dashboard, and had gotten strange results, so I've backed up and have tried to test some of the XML functions with more simple cases to see where I'm going wrong.

Unfortunately, I've made some test cases as simple as I can make them, and still something is wrong with my evals. I just can't sort it out.

If I enter, say "giraffe" into my input for the form described below, the only token that returns is the $newname$ token. $uCase$ and $leno$ both return "null"

With my test evals being so short, it has to (has to has to) be something simple, but I can't figure it out.

Pliz halp.

 <form>
      <label>TimeTestTakeThree</label>
      <fieldset submitButton="true">
        <input type="text" token="newname">
          <label>labelrino</label>
          <default>giraffe</default>
          <change>
            <eval token="Ucase">upper('newname')</eval>
            <eval token="leno">len('newname')</eval>
          </change>
        </input>
      </fieldset>
       <row>
             <html>
                 <p>Raw Entry: <b>$newname$</b></p>
                 <p>Upper(raw):<b>$Ucase$</b></p>
               <p>Length(raw): <b>$leno$</b></p>
             </html>
         </row>
    </form>

ro_mc
Path Finder

I realise this is a post from 2016, but I noticed that the <input> uses a <default> value rather than the recommended <initial> value per the Splunk docs (for the current version of 8.2.3), which may help others while troubleshooting this or similar issues on newer Splunk versions.

https://docs.splunk.com/Documentation/Splunk/8.2.3/Viz/FormEditor#Configure_input_value_handling

0 Karma

rjthibod
Champion

Try using the built-in token value instead of newname in the change block.

<form>
  <label>TimeTestTakeThree</label>
  <fieldset submitButton="true">
    <input type="text" token="newname">
      <label>labelrino</label>
      <default>giraffe</default>
      <change>
        <eval token="Ucase">upper('value')</eval>
        <eval token="leno">len('value')</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
      <p>Raw Entry: <b>$newname$</b></p>
      <p>Upper(raw):<b>$Ucase$</b></p>
      <p>Length(raw): <b>$leno$</b></p>
    </html>
  </row>
</form>

Treep
Explorer

Hi, did you manage to find a solution to this yet? I have almost exactly the same problem, only that using $tokenname$ or 'tokenname' doesn't give me anything (isn't replaced by token value) and just using tokenname without $ or ' only results in 0 or "null".

0 Karma

nfilippi_splunk
Splunk Employee
Splunk Employee

Try this:

<form>
  <label>TimeTestTakeThree</label>

  <fieldset submitButton="true">
    <input type="text" token="newname">
      <label>labelrino</label>
      <default>giraffe</default>
      <change>
        <eval token="ucaseSetToken">upper('newname')</eval>
      </change>
    </input>
  </fieldset>

  <row>
    <panel>
      <html>
        <p>upperSetToken:<b>$ucaseSetToken$</b></p>
      </html>
    </panel>
  </row>

</form>
0 Karma

niketn
Legend

Correct the following in your change event handler

   <change>
     <eval token="Ucase">upper($newname$)</eval>
     <eval token="leno">len($newname$)</eval>
   </change>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

blurblebot
Communicator

Tried already. Still comes back null.

   <form>
      <label>TimeTestTakeThree</label>
      <fieldset submitButton="true">
        <input type="text" token="newname">
          <label>labelrino</label>
          <default>giraffe</default>
          <change>
            <eval token="ucaseSetToken">upper($newname$)</eval>
          </change>
        </input>
      </fieldset>
       <row>
             <html>
                 <p>upperSetToken:<b>$ucaseSetToken$</b></p>
             </html>
         </row>
    </form>
0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...