Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to replace " with ' from multiselect input onc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ShaneNewman
Motivator
02-10-2015
11:41 AM
I have multiselect inputs that are cascading. I populate a lookup file with the possible values for each of these input elements, this is done because a real-time database lookup using dbConnect is painfully slow because none of the fields being searched are indexed in the table. All that means I need to pass a literal " instead of a ' for the cascading lookups to function within Splunk. Once all of the values are selected, I have created a macro that uses the dbquery command from the Splunk dbConnect App, downside is that it also passes " for the multiselect fields where SQL wants a '. Is there a simple way do do this?
This is a search I have created that does most of what I want (not very clean):
| inputlookup remedy_group_assignee.csv | search (Assigned_Company="company") AND (Assigned_Support_Organization="performance_mgmt") AND [search index=_internal | head 1 | eval Assigned_Group="(Assigned_Group='service assurance' OR Assigned_Group='remedy')" | fields Assigned_Group
| rex mode=sed field=Assigned_Group "s/\(//g"
| rex mode=sed field=Assigned_Group "s/\)//g"
| rex mode=sed field=Assigned_Group "s/\"//g"
| rex mode=sed field=Assigned_Group "s/^Assigned_Group='//g"
| rex mode=sed field=Assigned_Group "s/ Assigned_Group='/ Assigned_Group=\"/g"
| rex mode=sed field=Assigned_Group "s/\'\s/\" /g"
| rex mode=sed field=Assigned_Group "s/\'/\"/g"
| rex mode=sed field=Assigned_Group "s/\"$//g"
| fields Assigned_Group ] | stats count by Assignee
It returns nothing, inspecting the job I see this:
| inputlookup remedy_group_assignee.csv | search (Assigned_Company="company") AND (Assigned_Support_Organization="performance_mgmt") AND ( ( Assigned_Group="service assurance\" OR Assigned_Group=\"remedy" ) ) | stats count by Assignee
Upon removing the "\" from the search I get results... Trying to add a new sed statement to the end of the other sed statements to replace \ with nothing:
| rex mode=sed field=Assigned_Group "s/\\//g"
Returns this error: Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ShaneNewman
Motivator
02-17-2015
07:48 AM
Ended up going another route, it was a little more effort but it got the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ShaneNewman
Motivator
02-17-2015
07:48 AM
Ended up going another route, it was a little more effort but it got the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ShaneNewman
Motivator
02-13-2015
04:07 PM
Has this got everyone else stumped too?
Get Updates on the Splunk Community!
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
