- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Possible to output a literal string with backslash...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am attempting to use a lookup to feed some UNC file paths into a dashboard search, but I am getting tripped by all the escaping of the backslashes and double quites in my string.
I want to call a field from a lookup with something like this as the actual value:
file_path="\\\\*\\branch\\system\\type1\\*" OR file_path="\\\\*\\branch\\system\\type2\\*"
I want to populate a field in my lookup table with actual key/value pairs and output the entire string based on a menu selection. Unfortunately, if I try this, Splunk escapes all the double quotes and all the backslashes and it ends up looking like this in the litsearch, which is basically useless:
file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type1\\\\*\" OR file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type2\\\\*\"
How can I either properly escape the value within the lookup table so this doesn't happen, or is there any way to get Splunk to output the lookup value as a literal string and not try to interpret it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using tokens set to the ASCII hex value. When written the token gets replaced by the single character.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using tokens set to the ASCII hex value. When written the token gets replaced by the single character.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did an inputlookup to get my field (uploads) and used this piece of search I found on another post:
| fields uploads
| rex field=uploads mode=sed "s/(\d+)/%\1/g"
| eval decode=urldecode(uploads)I think I'm very close, but my decoded string has a space between every character looking something like this:
\ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value. I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
