Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Possible to output a literal string with backslashes from a lookup without escaping?

DaClyde
Contributor
‎11-12-2024 09:04 AM

I am attempting to use a lookup to feed some UNC file paths into a dashboard search, but I am getting tripped by all the escaping of the backslashes and double quites in my string.

I want to call a field from a lookup with something like this as the actual value:

file_path="\\\\*\\branch\\system\\type1\\*" OR file_path="\\\\*\\branch\\system\\type2\\*"

I want to populate a field in my lookup table with actual key/value pairs and output the entire string based on a menu selection.  Unfortunately, if I try this, Splunk escapes all the double quotes and all the backslashes and it ends up looking like this in the litsearch, which is basically useless:

file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type1\\\\*\" OR file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type2\\\\*\"

How can I either properly escape the value within the lookup table so this doesn't happen, or is there any way to get Splunk to output the lookup value as a literal string and not try to interpret it?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎11-13-2024 06:32 AM

Try using tokens set to the ASCII hex value.  When written the token gets replaced by the single character.

View solution in original post

Reply
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎11-13-2024 06:32 AM

Try using tokens set to the ASCII hex value.  When written the token gets replaced by the single character.

Reply
Solved! Jump to solution

DaClyde
Contributor
‎11-13-2024 10:36 AM

I did an inputlookup to get my field (uploads) and used this piece of search I found on another post:

| fields uploads
| rex field=uploads mode=sed "s/(\d+)/%\1/g"
| eval decode=urldecode(uploads)

I think I'm very close, but my decoded string has a space between every character looking something like this:

\ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *

 

0 Karma
Reply
Solved! Jump to solution

DaClyde
Contributor
‎11-13-2024 12:45 PM

A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...