Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to replace " with ' from multiselect input onc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have multiselect inputs that are cascading. I populate a lookup file with the possible values for each of these input elements, this is done because a real-time database lookup using dbConnect is painfully slow because none of the fields being searched are indexed in the table. All that means I need to pass a literal " instead of a ' for the cascading lookups to function within Splunk. Once all of the values are selected, I have created a macro that uses the dbquery command from the Splunk dbConnect App, downside is that it also passes " for the multiselect fields where SQL wants a '. Is there a simple way do do this?
This is a search I have created that does most of what I want (not very clean):
| inputlookup remedy_group_assignee.csv | search (Assigned_Company="company") AND (Assigned_Support_Organization="performance_mgmt") AND [search index=_internal | head 1 | eval Assigned_Group="(Assigned_Group='service assurance' OR Assigned_Group='remedy')" | fields Assigned_Group
| rex mode=sed field=Assigned_Group "s/\(//g"
| rex mode=sed field=Assigned_Group "s/\)//g"
| rex mode=sed field=Assigned_Group "s/\"//g"
| rex mode=sed field=Assigned_Group "s/^Assigned_Group='//g"
| rex mode=sed field=Assigned_Group "s/ Assigned_Group='/ Assigned_Group=\"/g"
| rex mode=sed field=Assigned_Group "s/\'\s/\" /g"
| rex mode=sed field=Assigned_Group "s/\'/\"/g"
| rex mode=sed field=Assigned_Group "s/\"$//g"
| fields Assigned_Group ] | stats count by Assignee
It returns nothing, inspecting the job I see this:
| inputlookup remedy_group_assignee.csv | search (Assigned_Company="company") AND (Assigned_Support_Organization="performance_mgmt") AND ( ( Assigned_Group="service assurance\" OR Assigned_Group=\"remedy" ) ) | stats count by Assignee
Upon removing the "\" from the search I get results... Trying to add a new sed statement to the end of the other sed statements to replace \ with nothing:
| rex mode=sed field=Assigned_Group "s/\\//g"
Returns this error: Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up going another route, it was a little more effort but it got the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up going another route, it was a little more effort but it got the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has this got everyone else stumped too?
What the End of Support for Splunk Add-on Builder Means for You
Solve, Learn, Repeat: New Puzzle Channel Now Live
Building Reliable Asset and Identity Frameworks in Splunk ES
