How do I escape single quote within DBXquery SQL l...

LearningGuy · ‎05-04-2023

how do I escape single quote within DBXquery SQL like command
For example:
content = '. . . . . . src_port': 20, 'dst_port': 21 ..... ' there is space after colon :
| dbxquery connection=visibility query="select content from DB where content like '%port\'\:\s20\,' "
This query gave me an error. I already tried to escape single quote with single quote, but did gave me 0 result

Thanks

tscroggins · ‎05-06-2023

Hi,

Escape sequences vary by SQL implementation, but generally, an apostrophe can be included in a character string with a preceding apostrophe, e.g.:

SELECT 'FOO''BAR'

returns FOO'BAR, where the double apostrophe is replaced with a single apostrophe.

In your example:

| dbxquery connection=visibility query="select content from DB where content like '%port'': 20,' "

will return the content column from all DB table rows where content ends with port':[space]20,'[space].

To find all rows containing a src_port or dest_port string (or any other _port': string), you might try:

| dbxquery connection=visibility query="select content from DB where content like '''%\_port'':%' escape '\'"

In LIKE predicate patterns, % and _ are wildcards. I've introduced the ESCAPE clause to explicitly define an escape character.

LIKE predicate patterns are not regular expressions, so you may match more than you intended.

How do I escape single quote within DBXquery SQL like command?

field extraction

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation