Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I escape double quotes in a token to modify a search?

johnraftery
Communicator
‎01-12-2016 07:05 AM

I have a search which sometimes I want to do an append, and sometimes not - this should be driven by a checkbox in the GUI. The optional append looks like this:

| append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, "%vmstat_DB_%"), "CPU DB", source), | rename cpu_used as value | table _time series value ]

I have defined a checkbox like this:

< input type="checkbox" token="CPU_IN_TPS" searchWhenChanged="true">
        < choice value="
| append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, "%vmstat_DB_%"), "CPU DB", source), | rename cpu_used as value | table _time series value ]">ON< /choice>
      < /input>

And $CPU_IN_TPS$ goes at the end of my main search.

My problem is that double quotes are not accepted inside a token value. Is there a way of escaping them? Should I be using a macro instead?

Many thanks,
John Raftery

Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 07:14 AM

In XML you can use &quot; instead of ". It's working for me

<choice value="&quot; | append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, &quot;%vmstat_DB_%&quot;), &quot;CPU DB&quot;, source), | rename cpu_used as value | table _time series value ]&quot;">ON</choice>
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

weidertc
Contributor
‎01-03-2024 06:12 AM

You can use a token modifier |s to escape double quotes.

 

$token$
$token|s$

 

The value of the tokens get parsed

 

asdf="asdf"
"asdf=\"asdf\""

 

Unfortunately, this also adds double quotes around it, which makes this modifier useless in all my work.  I would have preferred only having 1 effect per modifier that can stack with others for those that want both, but this might work for others.

The modifiers for tokens inside of alert action email bodies may not be available, but it will work in dashboards.

Source: https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/tokens#Syntax_to_consume_tokens

Tags (1)
Reply
Solved! Jump to solution

kgtardiff
New Member
‎01-24-2017 10:53 AM

For the panel requiring the double quotes to be escaped (\"), add:
|rex mode=sed field=FIELD_REQUIRING_ESCAPES "s/\"/"\\""/g"

It's using a Linux sed equivalent to replace every occurrence of " (\") with \" ("\\""). Different than Linux syntax, but it's working for me...

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 07:14 AM

In XML you can use &quot; instead of ". It's working for me

<choice value="&quot; | append [ search eventtype=x sourcetype=y host=z | eval series=if(like(source, &quot;%vmstat_DB_%&quot;), &quot;CPU DB&quot;, source), | rename cpu_used as value | table _time series value ]&quot;">ON</choice>
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

johnraftery
Communicator
‎01-12-2016 08:39 AM

Never mind - I had the checkbox set up wrong. Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

johnraftery
Communicator
‎01-12-2016 08:00 AM

This solved the quote issue - thanks very much. Strangely, the commas seem to disappear in the search - I end up with
eval series=if(like(source "%vmstat_DB_%") "CPU DB" source
Did you have this as well?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 08:22 AM

not really. Below dashboard works perfect

<form>
  <label>TEST</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="field1" searchWhenChanged="true">
      <choice value="| append [ |stats count| eval series=if(like(count, &quot;%vmstat_DB_%&quot;), &quot;CPU DB&quot;, count) | rename cpu_used as value | table _time series value ]">Test</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Test $field1$</title>
      <table>
        <search>
          <query>|stats count|eval count=100 $field1$</query>
          <earliest>0</earliest>
        </search>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

johnraftery
Communicator
‎01-12-2016 08:32 AM

I get an error when trying to use the fieldset node:
XML Syntax Error: Row, on line=320, contains unknown node=fieldset on line=321.

What does this node do?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...