Splunk Enterprise Security
Highlighted

When do I need to surround a field name with single ticks, double ticks, and when do I not need them at all in a search?

Motivator

I'm trying to integrate McAfee data into ES and I am having difficulties using the datamodel command.

Why does this search work (it returns results):

   | datamodel "Malware" "Malware_Attacks" search | where 'Malware_Attacks.category'="av.detect"

And this one does not (does not return results, but i do not get syntax errors):

| datamodel "Malware" "Malware_Attacks" search | search 'Malware_Attacks.category'="av.detect"

Thanks,
Chris


Update

This works:

| datamodel "Malware" "Malware_Attacks" search | search "Malware_Attacks.category"="av.detect"

And so does this:

| datamodel "Malware" "Malware_Attacks" search | search Malware_Attacks.category="av.detect"

I guess the question should be: When do I need to surround a field name with single ticks, when are double ticks ok and when do I not need them at all?

Highlighted

Re: When do I need to surround a field name with single ticks, double ticks, and when do I not need them at all in a search?

SplunkTrust
SplunkTrust

Hi chris,

I cannot answer why it is this way; but from my experience and tests I can try to answer on how to use it.
Let's start with the difference of where and search:

  • Use where if you want to compare two fields value
  • Use search if you want to search for a field containing a string or value

Next, there is a little hint in the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.

If the expression references literal strings that contains non-alphanumeric characters, it needs to be surrounded by double quotes; for example, new="server-"+count.

Now, let's test this with this run everywhere commands, all done on the same server over Previous week timerange:

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>=foo
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>=15
| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">=15

All the above searches will work, because they use the correct search syntax and the result is 108 events.

| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">="15"
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>="15"

The above searches will return wrong events, because they search for literal string values of 15, the result is 566 events.

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">="foo"
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">=foo

The above searches will not work, because it will references literal strings that contains non-alphanumeric characters as field, the result in this case is 811 or all events.

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where server.active_hist_searches>=foo
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>="foo"

This will not work at all, returning 0 events.

So, after all this testing I can say the following:

  • use ' single quotes when using the where command
  • use " double quotes or no quotes when using the search command

Hope this helps ....

cheers, MuS

PS: if you need the *why** it is this way, open a support case or ask the same on the IRC channel #splunk @ efnet.org*

View solution in original post

Highlighted

Re: When do I need to surround a field name with single ticks, double ticks, and when do I not need them at all in a search?

Motivator

Thanks for testing the different variations.

0 Karma