I am currently trying to write a search which will, after specific conditions are met, display the subject field values of email logs. If/when the subject contains an apostrophe, only the text up to and including the apostrophe is displayed.
If the subject field appears as follows:
subject='There's a secret you should know about'
I want to finish the search with the statement
|table subject,_raw
or
|stats values(subject)
The only text that is returned is 'There'
Is there a way that the complete field value can be displayed?
Thank you.
The problem is you have an odd number of un-escaped quotation marks (a.k.a. 'apostrophe') in that field. The best solution is to change how the field is written so it puts double-quotes ('"') around the field or escapes the single quote. If that's not possible, you may have to use rex
on _raw to parse out the subject field yourself.
... | rex "subject='(?<subject>.*?)' foo=" | ...
where 'foo' is the name of the field that follows subject.