Splunk Search

How do you search on a form token that has a value enclosed in double quotes?

cphair
Builder

Hello. I know variants of this question have been asked before, but I haven't found a solution for my specific case. I have a form that accepts a text value for a user and passes it to the search as a parameter (user="$user$"). Mostly this works fine, but in a few cases the user value is enclosed in quotes (e.g. "someaccount" instead of someaccount). If I pass user="someaccount" to the search, it doesn't match because it ignores the quotes. I would like to run this through a macro that fixes the quote situation, but I can't find one that works. The closest I got was user=`foo("someaccount")` where foo was an eval-based macro: replace("$token$", "([\"])", "\\\\\1"). I don't want to have to use *useraccount* to match "useraccount", and I don't want to use rex later in the search because I want to filter on the user field in the base query. Is there a way to make the macro work?

P.S. I can't use Sideview for this dashboard, and anyway I would like a solution that works from the search bar too.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Where are this token used, in the base search as a filter or in an eval statement.

Take a look at this runanywhere example.

|gentimes start=-1 | eval user="somesh \"somesh\"" | table user| makemv user | mvexpand user | eval isPresent=if(match(user,"(\")*"."somesh"."(\")*"),1,0)

You can put this match statement in your macro.

Update

If the value of the $user$ can only be "user" or "\"user\"", the you can try this in base search

index=yourIndex sourcetype=yoursourcetype (user="$user$" OR user="\"$user$\"") ... | rest of the search

cphair
Builder

Base search. That's why it's complicated. I can get it to work with a later eval, but not in the base search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...