Solved: Search for result with double quotes

hendrkle · ‎09-03-2013

Hello,

I'm new to Splunk and am search for an event that would include this:

toState: "stateB",", fromState: "stateA"

Since the result has double quotes, if I use the above as a search, it will include a variety of events that I don't want to see because it doesn't take it as one string.

Any advice you could offer?

apakhomov · ‎09-03-2013

Hello,
You can use backslashes for that. The search string is:

"toState: \"stateB\",\", fromState: \"stateA\""

Best regards,
Artem.

View solution in original post

rlshep · ‎06-05-2018

The search string should be

"toState: \"stateB\",\", fromState: \"stateA\""

apakhomov · ‎09-03-2013

Hello,
You can use backslashes for that. The search string is:

"toState: \"stateB\",\", fromState: \"stateA\""

Best regards,
Artem.

yuanliu · ‎10-23-2019

I downvoted this post because the correct syntax should have only one backslash escape.

apakhomov · ‎09-03-2013

Please, check the case of letters. StateA and stateA are different conditions for the system.

hendrkle · ‎09-03-2013

Thanks Artem,

Using your suggestion, I get zero events back, even if I simply it like this:

"fromState: \"StateA\""

Any idead why this may be?

fromState is in a a huge string and I cannot use it as a field (I think).

Thanks

apakhomov · ‎09-03-2013

However I would better suppose to extract the fields toState and formState. After extracting you will be able to use search string:
toState=stateB fromState=stateA

Search for result with double quotes

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor