I have a form with the drilldown function but when I try to pass the token with a single double quote I obtain the error:
PARSER: Applying intentions failed Unbalanced quotes.
Example:
No problem passing the value FOO or BAR but error with the value DB"DB
How can avoid that error?
I can post the example data and the forms if is needed.
Thanks a lot.
Before you render your results in a table in the first place, escape any of the quotes of field values which are drilldown-able
.. | rex field=mydrilldown_field mode=sed "s/\"/\\\"/g"
..that way, we can search the index with that token.
From the brief research I did, you seem to be out of luck. It looks like you have to do some regex manipulation at the index time, or transforms. See these two Q&As:
http://splunk-base.splunk.com/answers/3231/escaping-characters-in-an-event
Good luck
Oh I see, your problem is that the value in the field is DB"DB, not that the name of the field/token is DB"DB.
Thank you for the answer but the problem is that I select a row on my table (with drill down function) where I need detailed information and I can not change the token string by hand. Sometimes the passed field is a simple string (like FOO etc.) and sometimes the string has a double-quote character (like DB"DB)...
A workaround could be change the string at index time, for example replacing every double-quote with two single-quote, but I prefer do not change the original data.
Try using the xml predefined character name instead of actual quotes: "\;
Something like: DB"\;DB
Instead of: DB"DB
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references