Hello,
I'm new to Splunk and am search for an event that would include this:
toState: "stateB",", fromState: "stateA"
Since the result has double quotes, if I use the above as a search, it will include a variety of events that I don't want to see because it doesn't take it as one string.
Any advice you could offer?
Hello,
You can use backslashes for that. The search string is:
"toState: \"stateB\",\", fromState: \"stateA\""
Best regards,
Artem.
The search string should be
"toState: \"stateB\",\", fromState: \"stateA\""
Hello,
You can use backslashes for that. The search string is:
"toState: \"stateB\",\", fromState: \"stateA\""
Best regards,
Artem.
I downvoted this post because the correct syntax should have only one backslash escape.
Please, check the case of letters. StateA and stateA are different conditions for the system.
Thanks Artem,
Using your suggestion, I get zero events back, even if I simply it like this:
"fromState: \"StateA\""
Any idead why this may be?
fromState is in a a huge string and I cannot use it as a field (I think).
Thanks
However I would better suppose to extract the fields toState and formState. After extracting you will be able to use search string:
toState=stateB fromState=stateA