Splunk Search

Quotes around first word in inputlookup value

toph3r
Explorer

I am using an input lookup to exclude results from a search (e.g. index=main NOT [| inputlookup test_lookup.csv | fields value]. The searches I am trying to exclude contain values with quotes, such as "foo" bar bat.

It seems that if the first word in a lookup table value is surrounded in quotes, it will take the word surrounded in quotes as the value for that field and ignore the rest. A lookup of the example above returns only foo. Quotes appear to work find around words, so long as they are not the first word in the value.

I've cruised around looking for the answer, and came across a number of posts suggesting triple quoting, using hex char value for quotes, etc and I've also tried a number of things on my own without any success. Thus I have come here.

The lookup result I am trying to get is: "foo" bar bat

Here is the contents of my lookup file:

value,comment
"foo" bar bat, double quotes around first word
foo "bar" bat, double quotes around second word
foo bar "bat", double quotes around third word
"""foo""" bar bat, triple-double quotes around first word
\"foo\" bar bat, backslash escaped double quotes around first word
'"foo" bar bat', single quotes around the whole field

and here are the results of the lookup table:

input_lookup

Thanks in advance for any assistance.

0 Karma
1 Solution

toph3r
Explorer

I ended up implementing a terrible workaround. I am still open to better solutions...

Example using the lookup table in the original post, I preceeded the first line (the one giving me issues) with single quote.

value,comment
'"foo" bar bat, double quotes around first word (with preceeding single quote)
foo "bar" bat, double quotes around second word
foo bar "bat", double quotes around third word
"""foo""" bar bat, triple-double quotes around first word
\"foo\" bar bat, backslash escaped double quotes around first word
'"foo" bar bat', single quotes around the whole field 

I was then able to use rex/sed to remove the single quote within my inputlookup

|inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/"
alt text

Resulting in the ultimate query of

index=test source= foobarbat.txt NOT [ |inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/" ]

View solution in original post

0 Karma

toph3r
Explorer

I ended up implementing a terrible workaround. I am still open to better solutions...

Example using the lookup table in the original post, I preceeded the first line (the one giving me issues) with single quote.

value,comment
'"foo" bar bat, double quotes around first word (with preceeding single quote)
foo "bar" bat, double quotes around second word
foo bar "bat", double quotes around third word
"""foo""" bar bat, triple-double quotes around first word
\"foo\" bar bat, backslash escaped double quotes around first word
'"foo" bar bat', single quotes around the whole field 

I was then able to use rex/sed to remove the single quote within my inputlookup

|inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/"
alt text

Resulting in the ultimate query of

index=test source= foobarbat.txt NOT [ |inputlookup test_lookup.csv| fields value, comment |rex field=value mode=sed "s/^\'\"/\"/" ]
0 Karma

woodcock
Esteemed Legend

Post the output of this command:

|inputlookup test_lookup.csv | fields value comment | format
0 Karma

toph3r
Explorer

Here's the output:
( ( comment="double quotes around first word" AND value="foo" ) OR ( comment="double quotes around second word" AND value="foo \"bar\" bat" ) OR ( comment="double quotes around third word" AND value="foo bar \"bat\"" ) OR ( comment="triple-double quotes around first word" AND value="\"foo\"" ) OR ( comment="backslash escaped double quotes around first word" AND value="\\\"foo\\\" bar bat" ) OR ( comment="single quotes around the whole field" AND value="'\"foo\" bar bat'" ) )

0 Karma

woodcock
Esteemed Legend

Sorry, I should have said:

|inputlookup test_lookup.csv | fields value comment | format

Which would have given this:

( ( value="foo" ) OR ( value="foo \"bar\" bat" ) OR ( value="foo bar \"bat\"" ) OR ( value="\"foo\"" ) OR ( value="\\\"foo\\\" bar bat" ) OR ( value="'\"foo\" bar bat'" ) )

Now. What would you like the output to be?

0 Karma

toph3r
Explorer

I am trying to use the lookup to exclude "foo" bar bat from my results (e.g.
index=test NOT [| inputlookup test_lookup.csv | fields value| format] ). So I guess I am looking for it to return
\"foo\" bar bat

However, it does appear to do some escaping of characters on its own, so I don't really know what I want it to "look" like, I just know what I want the end result to be, not to show the second line in the results of:

source="foobarbat.txt" index="test"
_time                  value
2018-07-01 11:30:00 something different
2018-07-01 11:00:00 "foo" bar bat

edit: formatting

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...