How to get raw string as input in custom search ?

thanhnhhe130698 · ‎08-05-2021

Hi, I have a custom search get input as raw string, but when I combine splunk don't understand that, it always return error
Example:
|example rawstring="{"EventCode": "13","EventType": "SetValue","TargetObject": "(?mi)Software[//\\\\]{0,2}Microsoft[//\\\\]{0,2}Windows[//\\\\]{0,2}CurrentVersion[//\\\\]{0,2}Run"}}"
Can anyone help me pass it, thanks in advance

manjunathmeti · ‎08-05-2021

hi @thanhnhhe130698,

You have double quotes in the raw string, put a backslash before each double quote.

rawstring="{\"EventCode\": \"13\",\"EventType\": \"SetValue\",\"TargetObject\": \"(?mi)Software[//\\\\]{0,2}Microsoft[//\\\\]{0,2}Windows[//\\\\]{0,2}CurrentVersion[//\\\\]{0,2}Run\"}}"

If this reply helps you, a like would be appreciated.

thanhnhhe130698 · ‎08-05-2021

Hi @manjunathmeti , thanks for your reply, it works but splunk still format string '//\\\\' to '//\\',do you have a way to fix this? thank you very much

manjunathmeti · ‎08-06-2021

You need to escape a backslash character ( \ ). Use the sequence \\ to escape single \.

rawstring="{\"EventCode\": \"13\",\"EventType\": \"SetValue\",\"TargetObject\": \"(?mi)Software[//\\\\\\\\]{0,2}Microsoft[//\\\\\\\\]{0,2}Windows[//\\\\\\\\]{0,2}CurrentVersion[//\\\\\\\\]{0,2}Run\"}}"

How to get raw string as input in custom search ?

search job inspector

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to get raw string as input in custom search ?

search job inspector

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming