Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Possible to output a literal string with backslashes from a lookup without escaping?

DaClyde
Contributor
‎11-12-2024 09:04 AM

I am attempting to use a lookup to feed some UNC file paths into a dashboard search, but I am getting tripped by all the escaping of the backslashes and double quites in my string.

I want to call a field from a lookup with something like this as the actual value:

file_path="\\\\*\\branch\\system\\type1\\*" OR file_path="\\\\*\\branch\\system\\type2\\*"

I want to populate a field in my lookup table with actual key/value pairs and output the entire string based on a menu selection.  Unfortunately, if I try this, Splunk escapes all the double quotes and all the backslashes and it ends up looking like this in the litsearch, which is basically useless:

file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type1\\\\*\" OR file_path=\"\\\\\\\\*\\\\branch\\\\service\\\\type2\\\\*\"

How can I either properly escape the value within the lookup table so this doesn't happen, or is there any way to get Splunk to output the lookup value as a literal string and not try to interpret it?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎11-13-2024 06:32 AM

Try using tokens set to the ASCII hex value.  When written the token gets replaced by the single character.

View solution in original post

Reply
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎11-13-2024 06:32 AM

Try using tokens set to the ASCII hex value.  When written the token gets replaced by the single character.

Reply
Solved! Jump to solution

DaClyde
Contributor
‎11-13-2024 10:36 AM

I did an inputlookup to get my field (uploads) and used this piece of search I found on another post:

| fields uploads
| rex field=uploads mode=sed "s/(\d+)/%\1/g"
| eval decode=urldecode(uploads)

I think I'm very close, but my decoded string has a space between every character looking something like this:

\ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *

 

0 Karma
Reply
Solved! Jump to solution

DaClyde
Contributor
‎11-13-2024 12:45 PM

A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...