Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Can I get outputcsv to not quote
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I get outputcsv to not quote
Hello
I know this has been asked before but I retied the solution and still getting the same results.
index=java host=*myhost* name=transactional *USEmployeeUserGrpDiscountRule* "[amount=-" | dedup ticketId | rex field=_raw "\[amount=-(?<feeAdjustmentAmount>\d*\.\d*)" | eval foo="\"feeAdjustmentAmount\"" | eval boo=trim(foo, "\"") | table ticketId, boo | rename boo AS feeAdjustmentAmount
I'm sure I'm just doing something incorrectly. Its the foo eval that I don't have right.
The feeAdjustmentAmount is monetary so it will be digits.2decimals like 24.50 with no quotes in the log.
Right now, of course, the search above returns results like:
ticketId feeAdjustmentAmount
(purposelyMasked) feeAdjustmentAmount
Can you tell me when I outputcsv, how can I get it to exclude quotes. We use the csv to push to a webpage so fixing format is important.
Thank a bunch!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you putting the quotes there in the first place? just use
| eval foo=feeAdjustmentAmount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK yes, that was incorrect. I removed that and used:
index=java host=*myhost* name=transactional *USEmployeeUserGrpDiscountRule* "[amount=-" | dedup ticketId | rex field=_raw "\[amount=-(?<feeAdjustmentAmount>\d*\.\d*)" | eval foo=feeAdjustmentAmount | eval boo=trim(foo, "\"") | table ticketId, boo | rename boo AS feeAdjustmentAmount | outputcsv empdiscount
but the csv is still formatted
ticketId,feeAdjustmentAmount
(purposelyMasked),"15.01"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this -
index=java host=*myhost* name=transactional *USEmployeeUserGrpDiscountRule* "[amount=-"
| dedup ticketId
| rex field=_raw "\[amount=-(?<feeAdjustmentAmount>\d*\.\d*)"
| eval feeAdjustmentAmount = tonumber(feeAdjustmentAmount)
| table ticketId, feeAdjustmentAmount
| outputcsv empdiscount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the results from that
[me@myhost ~]# cat empdiscount.csv
ticketId,feeAdjustmentAmount
(purposelymasked),"6.00"
(purposelymasked),"12.00"
(purposelymasked),"15.01"
(purposelymasked),"11.73"
Still quoted
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
