How do I escape single quote within DBXquery SQL l...

LearningGuy · ‎05-04-2023

how do I escape single quote within DBXquery SQL like command
For example:
content = '. . . . . . src_port': 20, 'dst_port': 21 ..... ' there is space after colon :
| dbxquery connection=visibility query="select content from DB where content like '%port\'\:\s20\,' "
This query gave me an error. I already tried to escape single quote with single quote, but did gave me 0 result

Thanks

tscroggins · ‎05-06-2023

Hi,

Escape sequences vary by SQL implementation, but generally, an apostrophe can be included in a character string with a preceding apostrophe, e.g.:

SELECT 'FOO''BAR'

returns FOO'BAR, where the double apostrophe is replaced with a single apostrophe.

In your example:

| dbxquery connection=visibility query="select content from DB where content like '%port'': 20,' "

will return the content column from all DB table rows where content ends with port':[space]20,'[space].

To find all rows containing a src_port or dest_port string (or any other _port': string), you might try:

| dbxquery connection=visibility query="select content from DB where content like '''%\_port'':%' escape '\'"

In LIKE predicate patterns, % and _ are wildcards. I've introduced the ESCAPE clause to explicitly define an escape character.

LIKE predicate patterns are not regular expressions, so you may match more than you intended.

How do I escape single quote within DBXquery SQL like command?

field extraction

table

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?