Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to replace " with ' from multiselect input...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have multiselect inputs that are cascading. I populate a lookup file with the possible values for each of these input elements, this is done because a real-time database lookup using dbConnect is painfully slow because none of the fields being searched are indexed in the table. All that means I need to pass a literal " instead of a ' for the cascading lookups to function within Splunk. Once all of the values are selected, I have created a macro that uses the dbquery command from the Splunk dbConnect App, downside is that it also passes " for the multiselect fields where SQL wants a '. Is there a simple way do do this?
This is a search I have created that does most of what I want (not very clean):
| inputlookup remedy_group_assignee.csv | search (Assigned_Company="company") AND (Assigned_Support_Organization="performance_mgmt") AND [search index=_internal | head 1 | eval Assigned_Group="(Assigned_Group='service assurance' OR Assigned_Group='remedy')" | fields Assigned_Group
| rex mode=sed field=Assigned_Group "s/\(//g"
| rex mode=sed field=Assigned_Group "s/\)//g"
| rex mode=sed field=Assigned_Group "s/\"//g"
| rex mode=sed field=Assigned_Group "s/^Assigned_Group='//g"
| rex mode=sed field=Assigned_Group "s/ Assigned_Group='/ Assigned_Group=\"/g"
| rex mode=sed field=Assigned_Group "s/\'\s/\" /g"
| rex mode=sed field=Assigned_Group "s/\'/\"/g"
| rex mode=sed field=Assigned_Group "s/\"$//g"
| fields Assigned_Group ] | stats count by Assignee
It returns nothing, inspecting the job I see this:
| inputlookup remedy_group_assignee.csv | search (Assigned_Company="company") AND (Assigned_Support_Organization="performance_mgmt") AND ( ( Assigned_Group="service assurance\" OR Assigned_Group=\"remedy" ) ) | stats count by Assignee
Upon removing the "\" from the search I get results... Trying to add a new sed statement to the end of the other sed statements to replace \ with nothing:
| rex mode=sed field=Assigned_Group "s/\\//g"
Returns this error: Error in 'rex' command: Failed to initialize sed. Failed to parse the replacement string
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up going another route, it was a little more effort but it got the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up going another route, it was a little more effort but it got the job done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has this got everyone else stumped too?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
