Dashboards & Visualizations
Highlighted

How do I remove the double quotes from my token value?

Communicator

In my form, I'm trying to search on a value that might be in two places. The value is derived from a token. The issue is that one of the places, the token value is the whole field, and in another, it's a part of the field. So the first part ( | search patid = $pat1$) works, but the second part ( | search patid=$pat1$) doesn't work because it puts quotes in (evaluates as | search patid="5379345"). Obviously I'm clueless, can someone point me in the right direction?

0 Karma
Highlighted

Re: How do I remove the double quotes from my token value?

Legend

@gregbo while posting the code use the code button i.e. 101010 or shortcut key Ctrl+K. You might have to add more details from your code/data around your issue. Like what is the code for setting the patid token. What is the query where first $patid$ is set and used for search filter? and what is the query where second $patid$ is set for search filter. What is the value you want to use in both the places?

Can you try Token escape character i.e. |s to escape token value as string

  | search patid=$patid|s$

And

  | search patid=*$patid|s$*

Or may be use double quotes around existing token filter:

  | search patid="$patid$"

And

  | search patid="*$patid$*"

Please add the details as requested if your issue is not resolved!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How do I remove the double quotes from my token value?

Communicator

I couldn't get the suggested methods to work (probably I'm doing something else wrong), but I managed to get what I needed by using a rex to pull the value out of the second field and then do a search like so:
| rex field=altpat "\w^\w^\w^\w^\w~(?\w)"
| search (patid = $patid$) OR (altpatid = $patid$)

View solution in original post

0 Karma
Highlighted

Re: How do I remove the double quotes from my token value?

Legend

@gregbo requesting you to accept your own answer to mark this question as answered. Also while posting code use Code button on Splunk Answers i.e. 101010 or Shortcut Ctrl+K, so that special character does not escape.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How do I remove the double quotes from my token value?

Communicator

That's odd, I thought I did use Ctrl+K...I'll have to see what I did wrong..

0 Karma