Splunk Search

How do you search on a form token that has a value enclosed in double quotes?

cphair
Builder

Hello. I know variants of this question have been asked before, but I haven't found a solution for my specific case. I have a form that accepts a text value for a user and passes it to the search as a parameter (user="$user$"). Mostly this works fine, but in a few cases the user value is enclosed in quotes (e.g. "someaccount" instead of someaccount). If I pass user="someaccount" to the search, it doesn't match because it ignores the quotes. I would like to run this through a macro that fixes the quote situation, but I can't find one that works. The closest I got was user=`foo("someaccount")` where foo was an eval-based macro: replace("$token$", "([\"])", "\\\\\1"). I don't want to have to use *useraccount* to match "useraccount", and I don't want to use rex later in the search because I want to filter on the user field in the base query. Is there a way to make the macro work?

P.S. I can't use Sideview for this dashboard, and anyway I would like a solution that works from the search bar too.

0 Karma

somesoni2
Revered Legend

Where are this token used, in the base search as a filter or in an eval statement.

Take a look at this runanywhere example.

|gentimes start=-1 | eval user="somesh \"somesh\"" | table user| makemv user | mvexpand user | eval isPresent=if(match(user,"(\")*"."somesh"."(\")*"),1,0)

You can put this match statement in your macro.

Update

If the value of the $user$ can only be "user" or "\"user\"", the you can try this in base search

index=yourIndex sourcetype=yoursourcetype (user="$user$" OR user="\"$user$\"") ... | rest of the search

cphair
Builder

Base search. That's why it's complicated. I can get it to work with a later eval, but not in the base search.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...