Solved: Re: Search for result with double quotes

hendrkle · ‎09-03-2013

Hello,

I'm new to Splunk and am search for an event that would include this:

toState: "stateB",", fromState: "stateA"

Since the result has double quotes, if I use the above as a search, it will include a variety of events that I don't want to see because it doesn't take it as one string.

Any advice you could offer?

apakhomov · ‎09-03-2013

Hello,
You can use backslashes for that. The search string is:

"toState: \"stateB\",\", fromState: \"stateA\""

Best regards,
Artem.

View solution in original post

rlshep · ‎06-05-2018

The search string should be

"toState: \"stateB\",\", fromState: \"stateA\""

apakhomov · ‎09-03-2013

Hello,
You can use backslashes for that. The search string is:

"toState: \"stateB\",\", fromState: \"stateA\""

Best regards,
Artem.

yuanliu · ‎10-23-2019

I downvoted this post because the correct syntax should have only one backslash escape.

apakhomov · ‎09-03-2013

Please, check the case of letters. StateA and stateA are different conditions for the system.

hendrkle · ‎09-03-2013

Thanks Artem,

Using your suggestion, I get zero events back, even if I simply it like this:

"fromState: \"StateA\""

Any idead why this may be?

fromState is in a a huge string and I cannot use it as a field (I think).

Thanks

apakhomov · ‎09-03-2013

However I would better suppose to extract the fields toState and formState. After extracting you will be able to use search string:
toState=stateB fromState=stateA

Search for result with double quotes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation