Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for result with double quotes

hendrkle
New Member
‎09-03-2013 03:36 AM

Hello,

I'm new to Splunk and am search for an event that would include this:

toState: "stateB",", fromState: "stateA"

Since the result has double quotes, if I use the above as a search, it will include a variety of events that I don't want to see because it doesn't take it as one string.

Any advice you could offer?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

apakhomov
Path Finder
‎09-03-2013 05:13 AM

Hello,
You can use backslashes for that. The search string is:

"toState: \"stateB\",\", fromState: \"stateA\""

Best regards,
Artem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rlshep
New Member
‎06-05-2018 03:11 PM

The search string should be

"toState: \"stateB\",\", fromState: \"stateA\""

0 Karma
Reply
Solved! Jump to solution
Solution

apakhomov
Path Finder
‎09-03-2013 05:13 AM

Hello,
You can use backslashes for that. The search string is:

"toState: \"stateB\",\", fromState: \"stateA\""

Best regards,
Artem.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-23-2019 09:08 PM

I downvoted this post because the correct syntax should have only one backslash escape.

0 Karma
Reply
Solved! Jump to solution

apakhomov
Path Finder
‎09-03-2013 07:51 AM

Please, check the case of letters. StateA and stateA are different conditions for the system.

0 Karma
Reply
Solved! Jump to solution

hendrkle
New Member
‎09-03-2013 07:32 AM

Thanks Artem,

Using your suggestion, I get zero events back, even if I simply it like this:

"fromState: \"StateA\""

Any idead why this may be?

fromState is in a a huge string and I cannot use it as a field (I think).

Thanks

0 Karma
Reply
Solved! Jump to solution

apakhomov
Path Finder
‎09-03-2013 05:39 AM

However I would better suppose to extract the fields toState and formState. After extracting you will be able to use search string:
toState=stateB fromState=stateA

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...