Solved: Replace Function when used in token eval does not ...

gdiogo · ‎11-02-2017

I simply wish to prove that point since it wasn't quite established in the several topics I have read about this problem.
(In case you were condering, I use Splunk 6.4.1)
The replace function used in eval to evaluate a token DOES NOT BEHAVE accordingly to what it is supposed to do (which is successfully conducted in the search...) !

THERE IS A HUGE DISCREPANCY BETWEEN REPLACE USED IN A EVAL MADE IN SEARCH VS ONE MADE IN BASIC XML EVAL TAGS

So here it is :
(Try it, it is quite compelling)
This is quite evidently a major dysfunction !!

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
      </change>
      <default>ac23ghzz</default>
    </input>
  </fieldset>
  <row>
    <html>
      Input : $test.input$ &lt;br/&gt;
      Result of eval Token : $test.input.processed$   &lt;br/&gt;
      Result of simplified eval Token : $test.input.processed_more_simple$   &lt;br/&gt;
    </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| gentimes start=-1 | eval input = "$test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

So appart from trying to report this issue, I strongly hope for someone to be able to give me a tip and give me a way to accomplish successfully this functionnality with the current state of things.

Thanks in advance 🙂

gdiogo · ‎11-02-2017

After thinking about it, a quite obvious solution is to use a hidden select to run the actual search that I knew worked haha 🙂
So I guess I didn't need to complain about this ! 🙂
Well anyway, in case it is usefull for someone :

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
        <unset token="form.hidden.test.input"></unset><!-- To select first choice anew ! 😉 -->
      </change>
      <default>ac23ghzz</default>
    </input>
    <input type="dropdown" token="hidden.test.input" depends="$never_shown$" searchWhenChanged="true">
      <label>Hidden</label>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| makeresults | eval input = "$form.test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1") | eval final_result ='Simplified Result'.";".result</query>
      </search>
      <fieldForLabel>final_result</fieldForLabel>
      <fieldForValue>final_result</fieldForValue>
      <change>
        <eval token="test.workinginput.processed">mvindex(split($value$, ";"), 0)</eval>
        <eval token="test.workinginput.processed_more_simple">mvindex(split($value$, ";"), 1)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
       Input : $test.input$ .......................
       Result of eval Token : $test.input.processed$ .......................
       Result of simplified eval Token : $test.input.processed_more_simple$ .......................
       Result of simplified eval Token through trick : $test.workinginput.processed$ .......................
       Result of eval Token through trick : $test.workinginput.processed_more_simple$ .......................
     </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| makeresults | eval input = "$test.input$" | table input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

gdiogo · ‎11-02-2017

After thinking about it, a quite obvious solution is to use a hidden select to run the actual search that I knew worked haha 🙂
So I guess I didn't need to complain about this ! 🙂
Well anyway, in case it is usefull for someone :

<form>
  <label>Test</label>
  <description>Test</description>
  <fieldset submitButton="false">
    <input type="text" token="test.input" searchWhenChanged="true">
      <label>test Input</label>
      <change>
        <eval token="test.input.processed">replace(replace(replace(replace(lower($value$), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</eval>
        <eval token="test.input.processed_more_simple">replace(lower($value$), "[^0-9a-f]", "")</eval>
        <unset token="form.hidden.test.input"></unset><!-- To select first choice anew ! 😉 -->
      </change>
      <default>ac23ghzz</default>
    </input>
    <input type="dropdown" token="hidden.test.input" depends="$never_shown$" searchWhenChanged="true">
      <label>Hidden</label>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| makeresults | eval input = "$form.test.input$" | fields input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1") | eval final_result ='Simplified Result'.";".result</query>
      </search>
      <fieldForLabel>final_result</fieldForLabel>
      <fieldForValue>final_result</fieldForValue>
      <change>
        <eval token="test.workinginput.processed">mvindex(split($value$, ";"), 0)</eval>
        <eval token="test.workinginput.processed_more_simple">mvindex(split($value$, ";"), 1)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
       Input : $test.input$ .......................
       Result of eval Token : $test.input.processed$ .......................
       Result of simplified eval Token : $test.input.processed_more_simple$ .......................
       Result of simplified eval Token through trick : $test.workinginput.processed$ .......................
       Result of eval Token through trick : $test.workinginput.processed_more_simple$ .......................
     </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Test Regex</title>
        <search>
          <query>| makeresults | eval input = "$test.input$" | table input | eval "Simplified Result" = replace(lower(input), "[^0-9a-f]", "") | eval result = replace(replace(replace(replace(lower(input), "[^0-9a-f]", ""), "(..)(.{1,2})", "\1-\2"), "([^\-]{2})([^\-]{1,2})", "\1-\2"), "(.{17}).*", "\1")</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

gdiogo · ‎11-02-2017

Sorry for the mistake in formatting : in html tag, should be <br/>
:S

Replace Function when used in token eval does not behave as in search

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?