Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you remove special characters from a token?

clintla
Contributor
‎02-05-2019 06:11 AM

What would be the easiest one line solution to remove special characters from a token?

I'm taking a text input (mac addresses like 00:1B:44:11:3A:B7) from the user, & 1 source type uses the exact address & another source type has no ":" in the address.

I'm using the token as the complete search item (does the search content have a imbedded variable?).

When I do things like add a token to an eval command, it doesn't work. It seems like there should be an easier way to get around this problem.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-06-2019 11:19 AM

You could use eval tokens:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/tokens#Define_token_filtering_and_formatting

For example:

<eval token="new_token">replace('mac_address_token', ":", "")</eval>
Reply

clintla
Contributor
‎02-27-2019 11:11 AM

"This seems like it would work

I insert w/ stanza

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

replace($WWN1$, ":","") searchWhenChanged="true"

but 2 things are happening.
1- Splunk decides when I refresh the dashboard to re-arrange my code

replace($WWN1$, ":","") searchWhenChanged="true" 

<input type="text" token="WWN1" searchWhenChanged="true">
  <label>Enter WWN</label>
  <default></default>
</input>

2- it works after I hit "save" when I put the new stanza after the input.. but if I insert another WWN
it never update, if I refresh the page, splunk inverts the code again. "

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 11:01 AM

What about this: YOUR_SEARCH | eval mac_full = "$token$" | eval mac_short = mac_full | rex field=mac_short mode=sed "s/://g""

0 Karma
Reply

clintla
Contributor
‎02-06-2019 10:07 AM

I guess at the simplest part of this is how can I remove all ":" from a mac address & pass it on to another panel?

I dont think escapes will work due to its not a quote, Not sure how to escape would work in any case scenerio since ":"'s are throughout the string.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 10:12 AM

HI @clintla

When using tokens on dashboards, you should use the token escape sequence $my_token|s$

The |s is the extra part that will add double quotes and take care of escaping for you.

Here is the relevant documentation: https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Token_filters

I hope this is helpful

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-05-2019 07:02 AM

Your question would benefit from an added example to make it clearer.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...