Re: When does splunk add double quotation in outpu...

yuwtennis · ‎12-10-2013

Hi!

I found that when you execute outputcsv in splunk (ver 5.0.3), some fields has double quotation but some does not.
My question is ,

When does splunk add the double quotation?
Can you control the appearance ?

Any help is appreciated!

Thanks,
Yu

MuS · ‎10-15-2014

Hi yuwtennis and sajbutler,

did some tests and here are the results: You will get double quotes when there is any special character (like . or - or a space) in the values.
Here are some simple test you can run and verify the results.

All numeric value:

index=_internal | head 1 | eval foo="19873297326501876528731" | table foo | outputcsv foo.csv

foo.csv looks like this:

cat var/run/splunk/foo.csv
foo
19873297326501876528731

All word characters value:

index=_internal | head 1 | eval foo="noQuotes" | table foo | outputcsv foo.csv

foo.csv looks like this:

cat var/run/splunk/foo.csv
foo
noQuotes

All alphanumeric with special character value:

index=_internal | head 1 | eval foo="Quotes.because.of.the.dot" | table foo | outputcsv foo.csv

foo.csv looks like this:

cat var/run/splunk/foo.csv
foo
"Quotes.because.of.the.dot"

All alphanumeric with special character value:

index=_internal | head 1 | eval foo="Quotes-because-of-the-dash" | table foo | outputcsv foo.csv

foo.csv looks like this:

cat var/run/splunk/foo.csv
foo
"Quotes-because-of-the-dash"

hope this helps ...

cheers, MuS

mvaradarajam · ‎10-30-2014

Hi MuS,

How to remove double quotes from alphanumeric?

MuS · ‎10-30-2014

use a trim after the lookup

... | head 1 | eval foo="\"quotes\"" | eval boo=trim(foo, "\"") | table foo boo

sajbutler · ‎10-15-2014

@yuwtennis Did you end up getting an answer for this?

When does splunk add double quotation in outputcsv?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!