Splunk Search

Possible to output a literal string with backslashes from a lookup without escaping?

DaClyde
Contributor

I am attempting to use a lookup to feed some UNC file paths into a dashboard search, but I am getting tripped by all the escaping of the backslashes and double quites in my string.

I want to call a field from a lookup with something like this as the actual value:

file_path="\\\\*\\branch\\system\\type1\\*" OR file_path="\\\\*\\branch\\system\\type2\\*"

I want to populate a field in my lookup table with actual key/value pairs and output the entire string based on a menu selection.  Unfortunately, if I try this, Splunk escapes all the double quotes and all the backslashes and it ends up looking like this in the litsearch, which is basically useless:

file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type1\\\\*\" OR file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type2\\\\*\"

How can I either properly escape the value within the lookup table so this doesn't happen, or is there any way to get Splunk to output the lookup value as a literal string and not try to interpret it?

Labels (1)
0 Karma
1 Solution

dural_yyz
Builder

Try using tokens set to the ASCII hex value.  When written the token gets replaced by the single character.

View solution in original post

dural_yyz
Builder

Try using tokens set to the ASCII hex value.  When written the token gets replaced by the single character.

DaClyde
Contributor

I did an inputlookup to get my field (uploads) and used this piece of search I found on another post:

| fields uploads
| rex field=uploads mode=sed "s/(\d+)/%\1/g"
| eval decode=urldecode(uploads)

I think I'm very close, but my decoded string has a space between every character looking something like this:

\ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *

 

0 Karma

DaClyde
Contributor

A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...