I have a search which sometimes I want to do an append, and sometimes not - this should be driven by a dropdown in the GUI. The optional append looks like this:
| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")
I have defined a Dropdown like this:
< input type="dropdown" token="tzz" searchWhenChanged="true">
< choice value="| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); } >TZ< /choice>
< /input>
And $tzz$
goes at the end of my main search.
My problem is that backslashes
or rather \d
in | rex field=time_offset ".(?\d{2}:\d{2})" |
are not accepted inside the token value. Is there a way of escaping them?
Thank you.
Edit(Added):
EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}
This is how I set my token and I have to escape \d
in the rex
field portion.
Enclose the entire search string in a CDATA tag, like this:
< input type="dropdown" token="tzz" searchWhenChanged="true">
< choice value="![CDATA[| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S") ", {}, e.data); }]]>TZ< /choice>
< /input>
How about this?
< input type="dropdown" token="tzz" searchWhenChanged="true">
< choice value=" | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | >TZ< /choice> < /input>
EventHandler.setToken("tzadjust", "| eval time_splunk=strftime(_time, \"%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)\") | eval time_offset=strftime(_time, \"%:z\") | rex field=time_offset \".(?\d{2}:\d{2})\" | eval time_offset_seconds=time_offset_seconds.\":00\" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, \"%s\") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)==\"+\", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , \"%Y-%m-%d %H:%M:%S\") | eval _time = strptime(time_utc,\"%Y-%m-%d %H:%M:%S\") ", {}, e.data);
}
This is how I set my token and I have to escape \d in the rex field portion.
can you try updated query (replacing <
and >
with corresponding html code.)
The query which I had provided earlier was a dummy one @somesoni2 . This is the actual one :
| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")
I need the modifed token of the corresponding html code .
Try with this:
| eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch , "%Y-%m-%d %H:%M:%S") | eval _time = strptime(time_utc,"%Y-%m-%d %H:%M:%S")
try doing $tzz|s$
in your search. to encompass it all in quotes?
Yeah, I did try that @cmerriman. But my search would end up like this: index = myindex| "| eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" " which would not yield results to me (throws out an error) .
i just created this token in a test dashboard and receive this error. I didn't escape anything but it came out just fine when i opened it in search.
Error in 'rex' command: Encountered the following error while compiling the regex '.(?\d{2}:\d{2})': Regex: unrecognized character after (? or (?-
the regex is looking for a naming group
| rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})"
Yes, that's what! The regex works fine in a search, but in the dashboard it seems like I have to escape the backslash. Btw, this is not the entire token search which I'm gonna append after my primary search,it's just a small snippet from the token.
@waltz, here is the relevant docs page: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Token_filters
Thanks you @rjthibod, I did refer this docs page and try them out. But it wouldn't escape the backslash in my token.