Splunk Search

Passing parameter with equals sign in string returns search error

New Member

Hello,

I am currently using a lookup table and definition to compare a list of IPs, Domains, URLs, etc. against certain fields in Splunk for matches. This query is used in a dashboard with multiple panels. Below is my query after lookup tables and definitions are established.

index="INDEX" [|inputlookup FILE.csv | return 50000 $indicator]| table  action, src_ip, source, dst, destination, dst_ip, dstprt, filehash_md5, filehash_sha1, filehash_sha256, affectedFileHash | stats count

Sometimes I come across a URL that contains an equal sign '=' in it and it causes the query to not work with the following error.

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "http://IP/ies/api.cgi?act"=getConfig&id.

or

Error in 'search' command: Unable to parse the search: unbalance parenthesis.

Both seem to be tied to the same URLs that have equal signs in them and I am unable to find a solution or workaround for this. The lookup table is put together using Python PANDAS so I could always use some data wrangling if need be, but so far my attempts have failed.

I also noticed that using the search bar in splunk accepts the URL string if I use double ticks, versus single but as far as making that the standard output when using the inputlookup and the dashboards, I am not sure.

0 Karma

Esteemed Legend

You are getting too fancy; try this:

index="INDEX" [|inputlookup FILE.csv | head 50000 | table indicator | format]
| stats count
0 Karma

Builder

It's not the equals sign that's tripping you up. It's the double quotes before the equals sign. Move the second pair of double quotes to the end of the URL.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!