Solved: What regex will be needed to remove the double quo...

JoshuaJohn · ‎02-28-2018

This populates from a dropdown menu

| search "Application"=""T zone 10.2" OR "Application"="Nitro Run 10.1" OR "Application"="Runner 9.9""

I want to remove the duplicate double quote before T zone 10.2 and after Runner 9.9. I need the single double quote to remain as the app names have spaces.

Any regex ideas? So far mine removes all quotes, which isn't what I want

somesoni2 · ‎02-28-2018

Share the dropdown search. You probably need to add a | rex mode=sed... type of statement in your search.

View solution in original post

somesoni2 · ‎02-28-2018

Share the dropdown search. You probably need to add a | rex mode=sed... type of statement in your search.

JoshuaJohn · ‎02-28-2018

That is exactly, what I did. Worked perfectly! Thank you.

cpetterborg · ‎02-28-2018

Am I missing something, or do you need this to be generated somehow? Why can't you just use the backspace key to remove the quotes that you don't want? There doesn't seem to be enough information here to answer you question.

What regex will be needed to remove the double quotes and leave single quotes in place?

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!