Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get raw string as input in custom search ?

thanhnhhe130698
Engager
‎08-05-2021 01:18 AM

Hi, I have a custom search get input as raw string, but when I combine splunk don't understand that, it always return error 
Example:
|example rawstring="{"EventCode": "13","EventType": "SetValue","TargetObject": "(?mi)Software[//\\\\]{0,2}Microsoft[//\\\\]{0,2}Windows[//\\\\]{0,2}CurrentVersion[//\\\\]{0,2}Run"}}" 
Can anyone help me pass it, thanks in advance


Labels (1)
Labels
Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎08-05-2021 01:34 AM

hi @thanhnhhe130698,

You have double quotes in the raw string, put a backslash before each double quote.

rawstring="{\"EventCode\": \"13\",\"EventType\": \"SetValue\",\"TargetObject\": \"(?mi)Software[//\\\\]{0,2}Microsoft[//\\\\]{0,2}Windows[//\\\\]{0,2}CurrentVersion[//\\\\]{0,2}Run\"}}"

 

If this reply helps you, a like would be appreciated.

Reply

thanhnhhe130698
Engager
‎08-05-2021 06:37 AM

Hi @manjunathmeti , thanks for your reply, it works but splunk still format string '//\\\\' to '//\\',do you have a way to fix this? thank you very much

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎08-06-2021 12:16 AM

You need to escape a backslash character ( \ ). Use the sequence \\ to escape single \

rawstring="{\"EventCode\": \"13\",\"EventType\": \"SetValue\",\"TargetObject\": \"(?mi)Software[//\\\\\\\\]{0,2}Microsoft[//\\\\\\\\]{0,2}Windows[//\\\\\\\\]{0,2}CurrentVersion[//\\\\\\\\]{0,2}Run\"}}"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...