Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I escape backslash in a token to modify a search?

waltz
Explorer
‎07-07-2017 06:09 AM

I have a search which sometimes I want to do an append, and sometimes not - this should be driven by a dropdown in the GUI. The optional append looks like this:

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")

I have defined a Dropdown like this:

< input type="dropdown" token="tzz" searchWhenChanged="true">
         < choice value="| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); } >TZ< /choice>
< /input>

And $tzz$ goes at the end of my main search.

My problem is that backslashes or rather \d in | rex field=time_offset ".(?\d{2}:\d{2})" | are not accepted inside the token value. Is there a way of escaping them?

Thank you.

Edit(Added):

EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}

This is how I set my token and I have to escape \d in the rex field portion.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-08-2017 11:33 AM

Enclose the entire search string in a CDATA tag, like this:

< input type="dropdown" token="tzz" searchWhenChanged="true">
   < choice value="![CDATA[| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); }]]>TZ< /choice>
< /input>
0 Karma
Reply

somesoni2
Revered Legend
‎07-07-2017 06:51 AM

How about this?

< input type="dropdown" token="tzz" searchWhenChanged="true">
< choice value=" | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?&lt;time_offset_seconds&gt;\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | >TZ< /choice> < /input>
0 Karma
Reply

waltz
Explorer
‎07-07-2017 07:04 AM

EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}

This is how I set my token and I have to escape \d in the rex field portion.

0 Karma
Reply

somesoni2
Revered Legend
‎07-07-2017 07:17 AM

can you try updated query (replacing < and > with corresponding html code.)

0 Karma
Reply

waltz
Explorer
‎07-07-2017 07:27 AM

The query which I had provided earlier was a dummy one @somesoni2 . This is the actual one :

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")

I need the modifed token of the corresponding html code .

0 Karma
Reply

somesoni2
Revered Legend
‎07-07-2017 07:36 AM

Try with this:

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?&lt;time_offset_seconds&gt;\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")
0 Karma
Reply

cmerriman
Super Champion
‎07-07-2017 06:15 AM

try doing $tzz|s$ in your search. to encompass it all in quotes?

0 Karma
Reply

waltz
Explorer
‎07-07-2017 06:22 AM

Yeah, I did try that @cmerriman. But my search would end up like this: index = myindex| "| eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" " which would not yield results to me (throws out an error) .

0 Karma
Reply

cmerriman
Super Champion
‎07-07-2017 06:36 AM

i just created this token in a test dashboard and receive this error. I didn't escape anything but it came out just fine when i opened it in search.
Error in 'rex' command: Encountered the following error while compiling the regex '.(?\d{2}:\d{2})': Regex: unrecognized character after (? or (?-
the regex is looking for a naming group

| rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})"
0 Karma
Reply

waltz
Explorer
‎07-07-2017 06:44 AM

Yes, that's what! The regex works fine in a search, but in the dashboard it seems like I have to escape the backslash. Btw, this is not the entire token search which I'm gonna append after my primary search,it's just a small snippet from the token.

0 Karma
Reply

rjthibod
Champion
‎07-07-2017 06:19 AM

@waltz, here is the relevant docs page: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters

0 Karma
Reply

waltz
Explorer
‎07-07-2017 06:46 AM

Thanks you @rjthibod, I did refer this docs page and try them out. But it wouldn't escape the backslash in my token.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...