Solved: Has any one come across hidden Double Quotes (") ...

ajdyer2000 · ‎05-02-2022

Hi.

Has any one come across hidden Double Quotes (") in a field and how to remove it? (maybe a "sed" regex)

The double quotes don't appear in the Splunk Field or even in an excel csv export.

It only appears when you save the csv as a txt file.

Apparently Splunk sees it because it adds additional lines in my search.

See below for Excel export and corresponding saved txt

It looks to be Quoting the contents of the AdminGroup field.

csv

src_host	AdminGroup
computer1	Domain Admins LocalAdmins

Text file

src_host AdminGroup
computer1 "Domain Admins
LocalAdmins"

gcusello · ‎05-02-2022

you could use a regex like the following (if the values are in a field called "AdminGroup"):

| rex field=AdminGroup "^\"(?<AdminGroup>[^\"]+)\""

Ciao.

Giuseppe

gcusello · ‎05-02-2022

you could use a regex like the following (if the values are in a field called "AdminGroup"):

| rex field=AdminGroup "^\"(?<AdminGroup>[^\"]+)\""

Ciao.

Giuseppe

ajdyer2000 · ‎05-18-2022

Thank you Giuseppe That Worked.

gcusello · ‎05-18-2022

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Has any one come across hidden Double Quotes (") in a field and how to remove it?