How can I handle special characters from my log like blank spaces and asterisk? Is there like a scape character in searching?


There is a field in my log which can assume special characters as values, as below.

action=" ";parm="NULL";ans="ERROR"

I don't want to remove those character from my log (actually I should not), but I want to be able to find those events in my search.

I tryed to search <i>action="\ "</i> and <i>action="*"</i>, but it didn't work.

How can I search those fields properly?



0 Karma

Path Finder


Take a look at:

In the Quotes and escaping characters section:

The backslash character () is used to escape quotes, pipes, and itself. Backslash escape sequences are still expanded inside quotes. For example:

The sequence \| as part of a search will send a pipe character to the command, instead of having the pipe split between commands.
The sequence \" will send a literal quote to the command, for example for searching for a literal quotation mark or inserting a literal quotation mark into a field using rex.
The \\ sequence will be available as a literal backslash in the command.

Hope that helps.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!