https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185480#M53458 <P>Use a REGEX to parse the data. Put this in your transforms.conf file instead of DELIMS:</P> <P><CODE>[&lt;transformName&gt;]<BR /> REGEX = \"(?&lt;EventTime&gt;.*?)\",\s\"(?&lt;Level&gt;.*?)\",\s\"(?&lt;Field3&gt;.*?)\",\s\"(?&lt;Field4&gt;.*?)\",\s\"(?&lt;Field5&gt;.*?)\"</CODE></P> Thu, 19 Dec 2013 17:51:53 GMT richgalloway 2013-12-19T17:51:53Z https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185479#M53457 <P>"2013-12-19 11:13:23", "[INFO]", "30927", "MainProcess", "SSMITH"</P> <P>My data is coming into Splunk in this format, and when I select to look at it in raw form this is an example of one of my logs. The issue I am having is that when I want to search for a field I have to search for it in the following way or it wont show up: </P> <BLOCKQUOTE> <P>levelname="\"[INFO]\"" </P> </BLOCKQUOTE> <P>I need the initial quotes around each field because some of the fields may have commas in them and the delimiter is also a comma. Is there a config I can use so I don't have to escape the quotes when searching for a field value? Or any advice besides changing the delimiter to fix the issue?</P> Thu, 19 Dec 2013 16:32:24 GMT https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185479#M53457 JoeSco27 2013-12-19T16:32:24Z https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185480#M53458 <P>Use a REGEX to parse the data. Put this in your transforms.conf file instead of DELIMS:</P> <P><CODE>[&lt;transformName&gt;]<BR /> REGEX = \"(?&lt;EventTime&gt;.*?)\",\s\"(?&lt;Level&gt;.*?)\",\s\"(?&lt;Field3&gt;.*?)\",\s\"(?&lt;Field4&gt;.*?)\",\s\"(?&lt;Field5&gt;.*?)\"</CODE></P> Thu, 19 Dec 2013 17:51:53 GMT https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185480#M53458 richgalloway 2013-12-19T17:51:53Z https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185481#M53459 <P>I appreciate the quick response, but I would prefer not to have to do a index-time field extraction. Additionally, this is just a piece of my log, I have an additional 20 or so fields. Does anyone know of any other way around this? I could use this as a last resort but would rather not have to.</P> Thu, 19 Dec 2013 20:42:07 GMT https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185481#M53459 JoeSco27 2013-12-19T20:42:07Z https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185482#M53460 <P>This is a search time field extraction in a config file (what you asked for). I'm not sure how to configure this to apply to only this field, but it would not surprise me if it's possible.</P> Thu, 19 Dec 2013 23:58:54 GMT https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185482#M53460 lukejadamec 2013-12-19T23:58:54Z https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185483#M53461 <P>This could work for as an easiest options, but you need to include it in every search you make (as compare to search time field extraction suggested by @richgalloway, which you just configure once).</P> <PRE><CODE>&lt;your search starter index=blah sourcetype=blah&gt; | replace "\"*\"" with "*" |&lt;...rest of your search&gt; </CODE></PRE> <P>This will replace all the instance of '"value"' with 'value'.</P> Fri, 20 Dec 2013 00:41:46 GMT https://community.splunk.com/t5/Splunk-Search/Quoted-escape-characters-when-searching-a-field/m-p/185483#M53461 somesoni2 2013-12-20T00:41:46Z