Splunk Search

If I have a field value with double quotes, how do I get a Splunk search to ignore the double quotes to display the entire value?

Path Finder

HI All;

I have data which contains many events like this:


When I do a command like this ...|table event_name action_name action_params, the results look like this: test, widgets_panel, {

I see that the double quotes in the action_params is causing this issue, and my question here is, "is there a work around to pull in all of {"content_source":"news_and_media"} when I call the action_param field?"


0 Karma


Looking at some of the other JSON answers, I tried setting KV_MODE=auto_escaped but that did not eliminate the issue in my testing.
So you'll need to set up field extractions as somesoni2 suggested.

Example (assuming data above is the exact event format):


You'll have to adjust the regex if there's more data following the action_params KV pair that has similar KV pairs to extract.

If you have the option to modify the log format of these messages, it seems like the best way would be to remove the quotes before the brackets. That turns the events into legal JSON, so they should be automatically extracted.

0 Karma

Revered Legend

You'd probably have to setup custom field extractions. Can you provide some sample events, keeping original line breaks?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...