Re: Passing parameter with equals sign in string r...

terrancedejesus · ‎03-30-2020

Hello,

I am currently using a lookup table and definition to compare a list of IPs, Domains, URLs, etc. against certain fields in Splunk for matches. This query is used in a dashboard with multiple panels. Below is my query after lookup tables and definitions are established.

index="INDEX" [|inputlookup FILE.csv | return 50000 $indicator]| table  action, src_ip, source, dst, destination, dst_ip, dstprt, filehash_md5, filehash_sha1, filehash_sha256, affectedFileHash | stats count

Sometimes I come across a URL that contains an equal sign '=' in it and it causes the query to not work with the following error.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "http://IP/ies/api.cgi?act"=getConfig&id.

or

Error in 'search' command: Unable to parse the search: unbalance parenthesis.

Both seem to be tied to the same URLs that have equal signs in them and I am unable to find a solution or workaround for this. The lookup table is put together using Python PANDAS so I could always use some data wrangling if need be, but so far my attempts have failed.

I also noticed that using the search bar in splunk accepts the URL string if I use double ticks, versus single but as far as making that the standard output when using the inputlookup and the dashboards, I am not sure.

woodcock · ‎03-30-2020

You are getting too fancy; try this:

index="INDEX" [|inputlookup FILE.csv | head 50000 | table indicator | format]
| stats count

efavreau · ‎03-30-2020

It's not the equals sign that's tripping you up. It's the double quotes before the equals sign. Move the second pair of double quotes to the end of the URL.

###

If this reply helps you, an upvote would be appreciated.

Passing parameter with equals sign in string returns search error

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!