Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I escape the ' in Splunk search while running from command line?

chetanhonnavile
Explorer
‎12-05-2017 11:58 AM

Here is my query...

curl -ku "user:password" https://myserver.com:8089/services/search/jobs/export --data-urlencode search='search index=logs1 daysago=1 "user's password changed' -o splunkDataForLast24Hour.csv

Above query fails because of single quote in "user's" string, the query will work if I take out that quote but I want it to be there to find out the exact phrase.

Even placing backslash did not help. Any inputs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-05-2017 01:05 PM

The single quote is being interpreted by curl as the breaker for your opening single quote for the search. Try escaping the single quote in user's with a backslash wrapped in single quotes. So it will look like this: user'\''s

If you cut and paste the search above, you're also missing a closing set of double quotes, btw. I expect your total command should look like this:

curl -ku "user:password" https://myserver.com:8089/services/search/jobs/export --data-urlencode search='search index=logs1 daysago=1 "user'\''s password changed"' -o splunkDataForLast24Hour.csv

View solution in original post

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-05-2017 03:34 PM

Just look for “password changed” instead...

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-05-2017 01:05 PM

The single quote is being interpreted by curl as the breaker for your opening single quote for the search. Try escaping the single quote in user's with a backslash wrapped in single quotes. So it will look like this: user'\''s

If you cut and paste the search above, you're also missing a closing set of double quotes, btw. I expect your total command should look like this:

curl -ku "user:password" https://myserver.com:8089/services/search/jobs/export --data-urlencode search='search index=logs1 daysago=1 "user'\''s password changed"' -o splunkDataForLast24Hour.csv

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎12-05-2017 01:07 PM

BTW, according to this post (https://stackoverflow.com/questions/32122586/curl-escape-single-quote) you might also have success if you change your single quotes around the search value to double-quotes and escape the double-quotes within the search using regular backlashes.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...