Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Passing parameter with equals sign in string returns search error

terrancedejesus
New Member
‎03-30-2020 03:09 PM

Hello,

I am currently using a lookup table and definition to compare a list of IPs, Domains, URLs, etc. against certain fields in Splunk for matches. This query is used in a dashboard with multiple panels. Below is my query after lookup tables and definitions are established.

index="INDEX" [|inputlookup FILE.csv | return 50000 $indicator]| table  action, src_ip, source, dst, destination, dst_ip, dstprt, filehash_md5, filehash_sha1, filehash_sha256, affectedFileHash | stats count

Sometimes I come across a URL that contains an equal sign '=' in it and it causes the query to not work with the following error.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "http://IP/ies/api.cgi?act"=getConfig&id.

or

Error in 'search' command: Unable to parse the search: unbalance parenthesis.

Both seem to be tied to the same URLs that have equal signs in them and I am unable to find a solution or workaround for this. The lookup table is put together using Python PANDAS so I could always use some data wrangling if need be, but so far my attempts have failed.

I also noticed that using the search bar in splunk accepts the URL string if I use double ticks, versus single but as far as making that the standard output when using the inputlookup and the dashboards, I am not sure.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-30-2020 03:59 PM

You are getting too fancy; try this:

index="INDEX" [|inputlookup FILE.csv | head 50000 | table indicator | format]
| stats count
0 Karma
Reply

efavreau
Motivator
‎03-30-2020 03:37 PM

It's not the equals sign that's tripping you up. It's the double quotes before the equals sign. Move the second pair of double quotes to the end of the URL.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...