Solved: Replace Function when used in token eval does not ...

gdiogo · ‎11-02-2017

I simply wish to prove that point since it wasn't quite established in the several topics I have read about this problem.
(In case you were condering, I use Splunk 6.4.1)
The replace function used in eval to evaluate a token DOES NOT BEHAVE accordingly to what it is supposed to do (which is successfully conducted in the search...) !

THERE IS A HUGE DISCREPANCY BETWEEN REPLACE USED IN A EVAL MADE IN SEARCH VS ONE MADE IN BASIC XML EVAL TAGS

So here it is :
(Try it, it is quite compelling)
This is quite evidently a major dysfunction !!

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
      </change>
      <default>ac23ghzz</default>
    </input>
  </fieldset>
  <row>
    <html>
      Input : $test.input$ &lt;br/&gt;
      Result of eval Token : $test.input.processed$   &lt;br/&gt;
      Result of simplified eval Token : $test.input.processed_more_simple$   &lt;br/&gt;
    </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| gentimes start=-1 | eval input = "$test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

So appart from trying to report this issue, I strongly hope for someone to be able to give me a tip and give me a way to accomplish successfully this functionnality with the current state of things.

Thanks in advance 🙂

gdiogo · ‎11-02-2017

After thinking about it, a quite obvious solution is to use a hidden select to run the actual search that I knew worked haha 🙂
So I guess I didn't need to complain about this ! 🙂
Well anyway, in case it is usefull for someone :

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
        <unset token="form.hidden.test.input"></unset><!-- To select first choice anew ! 😉 -->
      </change>
      <default>ac23ghzz</default>
    </input>
    <input type="dropdown" token="hidden.test.input" depends="$never_shown$" searchWhenChanged="true">
      <label>Hidden</label>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| makeresults | eval input = "$form.test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1") | eval final_result ='Simplified Result'.";".result</query>
      </search>
      <fieldForLabel>final_result</fieldForLabel>
      <fieldForValue>final_result</fieldForValue>
      <change>
        <eval token="test.workinginput.processed">mvindex(split($value$, ";"), 0)</eval>
        <eval token="test.workinginput.processed_more_simple">mvindex(split($value$, ";"), 1)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
       Input : $test.input$ .......................
       Result of eval Token : $test.input.processed$ .......................
       Result of simplified eval Token : $test.input.processed_more_simple$ .......................
       Result of simplified eval Token through trick : $test.workinginput.processed$ .......................
       Result of eval Token through trick : $test.workinginput.processed_more_simple$ .......................
     </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| makeresults | eval input = "$test.input$" | table input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

gdiogo · ‎11-02-2017

After thinking about it, a quite obvious solution is to use a hidden select to run the actual search that I knew worked haha 🙂
So I guess I didn't need to complain about this ! 🙂
Well anyway, in case it is usefull for someone :

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
        <unset token="form.hidden.test.input"></unset><!-- To select first choice anew ! 😉 -->
      </change>
      <default>ac23ghzz</default>
    </input>
    <input type="dropdown" token="hidden.test.input" depends="$never_shown$" searchWhenChanged="true">
      <label>Hidden</label>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| makeresults | eval input = "$form.test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1") | eval final_result ='Simplified Result'.";".result</query>
      </search>
      <fieldForLabel>final_result</fieldForLabel>
      <fieldForValue>final_result</fieldForValue>
      <change>
        <eval token="test.workinginput.processed">mvindex(split($value$, ";"), 0)</eval>
        <eval token="test.workinginput.processed_more_simple">mvindex(split($value$, ";"), 1)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
       Input : $test.input$ .......................
       Result of eval Token : $test.input.processed$ .......................
       Result of simplified eval Token : $test.input.processed_more_simple$ .......................
       Result of simplified eval Token through trick : $test.workinginput.processed$ .......................
       Result of eval Token through trick : $test.workinginput.processed_more_simple$ .......................
     </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| makeresults | eval input = "$test.input$" | table input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

gdiogo · ‎11-02-2017

Sorry for the mistake in formatting : in html tag, should be <br/>
:S

Replace Function when used in token eval does not behave as in search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes