Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to easily replace a character in a token value ?

ctaf
Contributor
‎01-26-2016 05:29 AM

Hello,

I have a token "user" representing the name of a user. This name can contain "(" or ")". When I am using this token to execute a LDAP search, I get an error because it cannot contains brackets. The solution is to replace 

 ( by \28

and

) by \29.

I tried it without using the token, and it works:

 | ldapsearch domain=mydoman search="(CN=John Doe \\28test\\29)"

Unfortunately, I am using a dashboard to automatically complete this username. I need to replace the brackets by \28 and \29.
Is there a quick way to do this?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-26-2016 06:08 AM

This would be my approach (simply replace myToken with $yourtoken$ and it should work):

| eval myToken = "(CN=John Doe (test))"
| rex field=myToken mode=sed "s/(^\(.+)(\()/\\1\\\\\28/g"
| rex field=myToken mode=sed "s/([^\)]+)(\))(.*\)$)/\\1\\\\\29\\3/g"

output: (CN=John Doe \\28test\\29)

Alternatively, this one is a bit more robust as it should replace ALL your parenthesis and then fix your LDAP string by appending opening and closing ones:

| eval myToken = "(CN=John Doe (test))"
| eval myToken = replace(myToken, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken

output: (CN=John Doe \\28test\\29)

Alternative number 3 as suggested below:

| gentimes start=-1
| eval myToken = replace($token$, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken
| map search="| ldapsearch domain=mydoman search=\"$$myToken$$\""

Let me know if that helps.

Thanks,
Javier

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-26-2016 06:08 AM

This would be my approach (simply replace myToken with $yourtoken$ and it should work):

| eval myToken = "(CN=John Doe (test))"
| rex field=myToken mode=sed "s/(^\(.+)(\()/\\1\\\\\28/g"
| rex field=myToken mode=sed "s/([^\)]+)(\))(.*\)$)/\\1\\\\\29\\3/g"

output: (CN=John Doe \\28test\\29)

Alternatively, this one is a bit more robust as it should replace ALL your parenthesis and then fix your LDAP string by appending opening and closing ones:

| eval myToken = "(CN=John Doe (test))"
| eval myToken = replace(myToken, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken

output: (CN=John Doe \\28test\\29)

Alternative number 3 as suggested below:

| gentimes start=-1
| eval myToken = replace($token$, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken
| map search="| ldapsearch domain=mydoman search=\"$$myToken$$\""

Let me know if that helps.

Thanks,
Javier

0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-26-2016 06:58 AM

The problem is that this solution uses the token value in the "field=XXX" option.

| rex field=John Doe (test) mode=sed "s/(^(.+)(()/\1\\\28/g"
| rex field=John Doe (test) mode=sed "s/([^)]+)())(.*)$)/\1\\\29\3/g"

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-26-2016 07:06 AM

I see what you mean. Sorry i don't have an easy way to test this but what about the following using the map command?

| gentimes start=-1
| eval myToken = replace($token$, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<tempToken>.+)\\\\\\\\29$"
| eval myToken = "(" . tempToken . ")"
| fields - tempToken
| map search="| ldapsearch domain=mydoman search=\"$$myToken$$\""

EDIT: fixed query above as there was a typo because of the copy and paste
EDIT2: adding double $ to myToken

0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-26-2016 07:29 AM

This solution give me a "The search is waiting for input" message on my dashboard. I guess it is because "$myToken$" is not set.

EDIT: I think I missed your "edit". What did you change?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-26-2016 07:32 AM

Use double $ sign for mytoken.

0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-26-2016 07:38 AM

That's what I did: | ldapsearch domain=mydomain search=\"(CN=$myToken$)\"

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-26-2016 07:43 AM

No like this

 | ldapsearch domain=mydomain search="(CN=$$myToken$$)"
0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-26-2016 08:03 AM

Oh OK. We're progressing, but it still doesn't work. I am not sure what is "tempToken" for as it is empty and the last "eval myToken" makes "myToken" empty too... Very strange.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-26-2016 08:09 AM

That was just me wanting to display all the different field values for debugging purposes in my test query. Feel free to get rid of it:

| gentimes start=-1
| eval myToken = replace($token$, "\(", "\\\\\28") 
| eval myToken = replace(myToken, "\)", "\\\\\29")
| rex field=myToken "^\\\\\\\\28(?<myToken>.+)\\\\\\\\29$"
| eval myToken = "(" . myToken . ")"
| map search="| ldapsearch domain=mydoman search=\"$$myToken$$\""
0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-26-2016 08:26 AM

Yeah ! I managed to make it work:

| gentimes start=-1 | eval myToken = replace("$user$", "\(", "\\28")   | eval myToken = replace(myToken, "\)", "\\29")  | map search="| ldapsearch domain=mydomain search=\"(CN=$$myToken$$)\""

Splunk was showing only 2 backslash in when you set up 5 of them but when using it in the LDAP search, it needed only 2...

I removed the rex function and the last eval too.

I have one more question: What is "gentimes" for ?

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-26-2016 08:29 AM

That's just for my example to be able to use non search commands when you don't really have a search. You can use "| stats count" too.

It is quite useful when testing things as otherwise you need to start your search with an actual search or input type command.

There are other uses for gentimes of course. See the doc

Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎01-26-2016 05:46 AM

Use eval replace() to reformat the token value

| eval foo=replace($token$),"\(","\28") |eval foo=replace(foo,"\)","\29") |  ldapsearch domain=mydomain search=foo

See replace() in http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commonevalfunctions

0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-26-2016 05:56 AM

This is something I tried but if I do that, "foo" won't be evaluated. So the LDAP Search string is just the string "foo".

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎01-26-2016 07:39 AM

Use map as well then: 

| eval foo=replace($token$),"\(","\28") |eval foo=replace(foo,"\)","\29") | map search="| ldapsearch domain=mydoman search=$foo$"
0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎01-26-2016 08:26 AM

Thank you !

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...