https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244601#M72863 <P>Legend!</P> <P>Thanks</P> Wed, 24 Aug 2016 12:22:04 GMT smudge797 2016-08-24T12:22:04Z https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244599#M72861 <P>Seeing issue with tabling results inside quotes and wondering if this is know issue with work around?</P> <P>query:<BR /> index=perfmon source=process sourcetype=WinHostMon ProcessId=22864</P> <P>results:<BR /> Type=Process<BR /> Name="splunkd.exe"<BR /> ProcessId=22864<BR /> CommandLine=""C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service"<BR /> StartTime="20160817005341.861352+120"<BR /> Host="myhost"<BR /> Path="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"</P> <P>Type=Process<BR /> Name="TrustedInstaller.exe"<BR /> ProcessId=19228<BR /> CommandLine="C:\Windows\servicing\TrustedInstaller.exe"<BR /> StartTime="20160816000024.970946+120"<BR /> Host="Anotherhost"<BR /> Path="C:\Windows\servicing\TrustedInstaller.exe"</P> <P>query:<BR /> index=perfmon source=process sourcetype=WinHostMon ProcessId=22864 | table CommandLine</P> <P>No results..</P> Wed, 24 Aug 2016 10:59:19 GMT https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244599#M72861 smudge797 2016-08-24T10:59:19Z https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244600#M72862 <P>Yes, the double quotes give little trouble there..<BR /><BR /> maybe, a quick rex.. tested this and works fine.. </P> <PRE><CODE>sourcetype=WinHostMonTest | rex field=_raw "CommandLine=(?&lt;CmdLine&gt;.+[^\n])" | table CmdLine </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1760i23E621DC7BBD9B4A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 24 Aug 2016 11:55:43 GMT https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244600#M72862 inventsekar 2016-08-24T11:55:43Z https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244601#M72863 <P>Legend!</P> <P>Thanks</P> Wed, 24 Aug 2016 12:22:04 GMT https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244601#M72863 smudge797 2016-08-24T12:22:04Z https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244602#M72864 <P>I cant seem to put this in my dashboard:<BR /> ...| rex field=_raw "CommandLine=(?.+[^\n])"| table CommandLine</P> <P>Its complaining about the </P> <PRE><CODE> &lt;title&gt;$ProcessID$ Process Drilldown&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=perfmon source=process sourcetype=WinHostMon ProcessId=22864 </CODE></PRE> <P>earliest=$time.earliest$ latest=$time.latest$ host=$Host$ ProcessId=$ProcessID$ | dedup ProcessId | rex field=_raw "CommandLine=(?.+[^\n])"| table Name ProcessId CommandLine Path<BR /> <BR /> true<BR /> true<BR /> none<BR /> none<BR /> 10</P> Wed, 24 Aug 2016 16:14:16 GMT https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244602#M72864 smudge797 2016-08-24T16:14:16Z https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244603#M72865 <P>i am not sure of this one.. let me create a dashboard to check it and update you back..</P> Thu, 25 Aug 2016 09:03:37 GMT https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244603#M72865 inventsekar 2016-08-25T09:03:37Z https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244604#M72866 <P>CDATA! sorted it. Thanks</P> Thu, 25 Aug 2016 15:01:21 GMT https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244604#M72866 smudge797 2016-08-25T15:01:21Z https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244605#M72867 <P>Is there any way to have this data straightened out with a props/transform search time or index time extraction?</P> Thu, 26 Jan 2017 23:20:56 GMT https://community.splunk.com/t5/Splunk-Search/issue-querying-events-in-quotes/m-p/244605#M72867 smudge797 2017-01-26T23:20:56Z