Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I remove the double quotes from my token value?

gregbo
Communicator
‎06-01-2018 09:26 AM

In my form, I'm trying to search on a value that might be in two places. The value is derived from a token. The issue is that one of the places, the token value is the whole field, and in another, it's a part of the field. So the first part ( | search patid = $pat1$) works, but the second part ( | search patid=$pat1$) doesn't work because it puts quotes in (evaluates as | search patid="5379345"). Obviously I'm clueless, can someone point me in the right direction?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gregbo
Communicator
‎06-04-2018 04:51 AM

I couldn't get the suggested methods to work (probably I'm doing something else wrong), but I managed to get what I needed by using a rex to pull the value out of the second field and then do a search like so:
| rex field=altpat "\w*^\w*^\w*^\w*^\w*~(?\w*)"
| search (patid = $patid$) OR (altpatid = $patid$)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gregbo
Communicator
‎06-04-2018 04:51 AM

I couldn't get the suggested methods to work (probably I'm doing something else wrong), but I managed to get what I needed by using a rex to pull the value out of the second field and then do a search like so:
| rex field=altpat "\w*^\w*^\w*^\w*^\w*~(?\w*)"
| search (patid = $patid$) OR (altpatid = $patid$)

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-04-2018 05:21 AM

@gregbo requesting you to accept your own answer to mark this question as answered. Also while posting code use Code button on Splunk Answers i.e. 101010 or Shortcut Ctrl+K, so that special character does not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

gregbo
Communicator
‎06-04-2018 05:30 AM

That's odd, I thought I did use Ctrl+K...I'll have to see what I did wrong..

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-02-2018 09:26 PM

@gregbo while posting the code use the code button i.e. 101010 or shortcut key Ctrl+K. You might have to add more details from your code/data around your issue. Like what is the code for setting the patid token. What is the query where first $patid$ is set and used for search filter? and what is the query where second $patid$ is set for search filter. What is the value you want to use in both the places?

Can you try Token escape character i.e. |s to escape token value as string

  | search patid=$patid|s$

And 

  | search patid=*$patid|s$*

Or may be use double quotes around existing token filter:

  | search patid="$patid$"

And 

  | search patid="*$patid$*"

Please add the details as requested if your issue is not resolved!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...