I am using an input lookup to exclude results from a search (e.g. index=main NOT [| inputlookup test_lookup.csv | fields value]. The searches I am trying to exclude contain values with quotes, such as "foo" bar bat.
It seems that if the first word in a lookup table value is surrounded in quotes, it will take the word surrounded in quotes as the value for that field and ignore the rest. A lookup of the example above returns only foo. Quotes appear to work find around words, so long as they are not the first word in the value.
I've cruised around looking for the answer, and came across a number of posts suggesting triple quoting, using hex char value for quotes, etc and I've also tried a number of things on my own without any success. Thus I have come here.
The lookup result I am trying to get is: "foo" bar bat
Here is the contents of my lookup file:
value,comment
"foo" bar bat, double quotes around first word
foo "bar" bat, double quotes around second word
foo bar "bat", double quotes around third word
"""foo""" bar bat, triple-double quotes around first word
\"foo\" bar bat, backslash escaped double quotes around first word
'"foo" bar bat', single quotes around the whole field
and here are the results of the lookup table:
Thanks in advance for any assistance.
I ended up implementing a terrible workaround. I am still open to better solutions...
Example using the lookup table in the original post, I preceeded the first line (the one giving me issues) with single quote.
value,comment
'"foo" bar bat, double quotes around first word (with preceeding single quote)
foo "bar" bat, double quotes around second word
foo bar "bat", double quotes around third word
"""foo""" bar bat, triple-double quotes around first word
\"foo\" bar bat, backslash escaped double quotes around first word
'"foo" bar bat', single quotes around the whole field
I was then able to use rex/sed to remove the single quote within my inputlookup
|inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/"
Resulting in the ultimate query of
index=test source= foobarbat.txt NOT [ |inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/" ]
I ended up implementing a terrible workaround. I am still open to better solutions...
Example using the lookup table in the original post, I preceeded the first line (the one giving me issues) with single quote.
value,comment
'"foo" bar bat, double quotes around first word (with preceeding single quote)
foo "bar" bat, double quotes around second word
foo bar "bat", double quotes around third word
"""foo""" bar bat, triple-double quotes around first word
\"foo\" bar bat, backslash escaped double quotes around first word
'"foo" bar bat', single quotes around the whole field
I was then able to use rex/sed to remove the single quote within my inputlookup
|inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/"
Resulting in the ultimate query of
index=test source= foobarbat.txt NOT [ |inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/" ]
Post the output of this command:
|inputlookup test_lookup.csv | fields value comment | format
Here's the output:
( ( comment="double quotes around first word" AND value="foo" ) OR ( comment="double quotes around second word" AND value="foo \"bar\" bat" ) OR ( comment="double quotes around third word" AND value="foo bar \"bat\"" ) OR ( comment="triple-double quotes around first word" AND value="\"foo\"" ) OR ( comment="backslash escaped double quotes around first word" AND value="\\\"foo\\\" bar bat" ) OR ( comment="single quotes around the whole field" AND value="'\"foo\" bar bat'" ) )
Sorry, I should have said:
|inputlookup test_lookup.csv | fields value comment | format
Which would have given this:
( ( value="foo" ) OR ( value="foo \"bar\" bat" ) OR ( value="foo bar \"bat\"" ) OR ( value="\"foo\"" ) OR ( value="\\\"foo\\\" bar bat" ) OR ( value="'\"foo\" bar bat'" ) )
Now. What would you like the output to be?
I am trying to use the lookup to exclude "foo" bar bat from my results (e.g.
index=test NOT [| inputlookup test_lookup.csv | fields value| format] ). So I guess I am looking for it to return
\"foo\" bar bat
However, it does appear to do some escaping of characters on its own, so I don't really know what I want it to "look" like, I just know what I want the end result to be, not to show the second line in the results of:
source="foobarbat.txt" index="test"
_time value
2018-07-01 11:30:00 something different
2018-07-01 11:00:00 "foo" bar bat
edit: formatting