Splunk Search

How can I escape backslash in a token to modify a search?

waltz
Explorer

I have a search which sometimes I want to do an append, and sometimes not - this should be driven by a dropdown in the GUI. The optional append looks like this:

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") 

I have defined a Dropdown like this:

< input type="dropdown" token="tzz" searchWhenChanged="true">
         < choice value="| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); } >TZ< /choice>
< /input>

And $tzz$ goes at the end of my main search.

My problem is that backslashes or rather \d in | rex field=time_offset ".(?\d{2}:\d{2})" | are not accepted inside the token value. Is there a way of escaping them?

Thank you.

Edit(Added):

EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}

This is how I set my token and I have to escape \d in the rex field portion.

0 Karma

woodcock
Esteemed Legend

Enclose the entire search string in a CDATA tag, like this:

< input type="dropdown" token="tzz" searchWhenChanged="true">
   < choice value="![CDATA[| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)")  | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); }]]>TZ< /choice>
< /input>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this?

< input type="dropdown" token="tzz" searchWhenChanged="true">
< choice value=" | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?&lt;time_offset_seconds&gt;\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | >TZ< /choice> < /input>
0 Karma

waltz
Explorer

EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}

This is how I set my token and I have to escape \d in the rex field portion.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

can you try updated query (replacing < and > with corresponding html code.)

0 Karma

waltz
Explorer

The query which I had provided earlier was a dummy one @somesoni2 . This is the actual one :

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")

I need the modifed token of the corresponding html code .

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try with this:

| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?&lt;time_offset_seconds&gt;\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")
0 Karma

cmerriman
Super Champion

try doing $tzz|s$ in your search. to encompass it all in quotes?

0 Karma

waltz
Explorer

Yeah, I did try that @cmerriman. But my search would end up like this: index = myindex| "| eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" " which would not yield results to me (throws out an error) .

0 Karma

cmerriman
Super Champion

i just created this token in a test dashboard and receive this error. I didn't escape anything but it came out just fine when i opened it in search.
Error in 'rex' command: Encountered the following error while compiling the regex '.(?\d{2}:\d{2})': Regex: unrecognized character after (? or (?-
the regex is looking for a naming group

| rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})"
0 Karma

waltz
Explorer

Yes, that's what! The regex works fine in a search, but in the dashboard it seems like I have to escape the backslash. Btw, this is not the entire token search which I'm gonna append after my primary search,it's just a small snippet from the token.

0 Karma

rjthibod
Champion
0 Karma

waltz
Explorer

Thanks you @rjthibod, I did refer this docs page and try them out. But it wouldn't escape the backslash in my token.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...