How do I escape single quote within DBXquery SQL like command?

LearningGuy — Thu, 04 May 2023 15:54:04 GMT

how do I escape single quote within DBXquery SQL like command
For example:
content = '. . . . . . src_port': 20, 'dst_port': 21 ..... ' there is space after colon :
| dbxquery connection=visibility query="select content from DB where content like '%port\'\:\s20\,' "
This query gave me an error. I already tried to escape single quote with single quote, but did gave me 0 result

Thanks

Re: How do I escape single quote within DBXquery SQL like command?

tscroggins — Sat, 06 May 2023 18:11:35 GMT

Hi,

Escape sequences vary by SQL implementation, but generally, an apostrophe can be included in a character string with a preceding apostrophe, e.g.:

SELECT 'FOO''BAR'

returns FOO'BAR, where the double apostrophe is replaced with a single apostrophe.

In your example:

| dbxquery connection=visibility query="select content from DB where content like '%port'': 20,' "

will return the content column from all DB table rows where content ends with port':[space]20,'[space].

To find all rows containing a src_port or dest_port string (or any other _port': string), you might try:

| dbxquery connection=visibility query="select content from DB where content like '''%\_port'':%' escape '\'"

In LIKE predicate patterns, % and _ are wildcards. I've introduced the ESCAPE clause to explicitly define an escape character.

LIKE predicate patterns are not regular expressions, so you may match more than you intended.

topic How do I escape single quote within DBXquery SQL like command? in Splunk Search

How do I escape single quote within DBXquery SQL like command?

Re: How do I escape single quote within DBXquery SQL like command?