Splunk Enterprise Security

When do I need to surround a field name with single ticks, double ticks, and when do I not need them at all in a search?

chris
Motivator

I'm trying to integrate McAfee data into ES and I am having difficulties using the datamodel command.

Why does this search work (it returns results):

   | datamodel "Malware" "Malware_Attacks" search | where 'Malware_Attacks.category'="av.detect"

And this one does not (does not return results, but i do not get syntax errors):

| datamodel "Malware" "Malware_Attacks" search | search 'Malware_Attacks.category'="av.detect"

Thanks,
Chris


Update

This works:

| datamodel "Malware" "Malware_Attacks" search | search "Malware_Attacks.category"="av.detect"

And so does this:

| datamodel "Malware" "Malware_Attacks" search | search Malware_Attacks.category="av.detect"

I guess the question should be: When do I need to surround a field name with single ticks, when are double ticks ok and when do I not need them at all?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi chris,

I cannot answer why it is this way; but from my experience and tests I can try to answer on how to use it.
Let's start with the difference of where and search:

  • Use where if you want to compare two fields value
  • Use search if you want to search for a field containing a string or value

Next, there is a little hint in the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.

If the expression references literal strings that contains non-alphanumeric characters, it needs to be surrounded by double quotes; for example, new="server-"+count.

Now, let's test this with this run everywhere commands, all done on the same server over Previous week timerange:

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>=foo
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>=15
| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">=15

All the above searches will work, because they use the correct search syntax and the result is 108 events.

| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">="15"
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>="15"

The above searches will return wrong events, because they search for literal string values of 15, the result is 566 events.

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">="foo"
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">=foo

The above searches will not work, because it will references literal strings that contains non-alphanumeric characters as field, the result in this case is 811 or all events.

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where server.active_hist_searches>=foo
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>="foo"

This will not work at all, returning 0 events.

So, after all this testing I can say the following:

  • use ' single quotes when using the where command
  • use " double quotes or no quotes when using the search command

Hope this helps ....

cheers, MuS

PS: if you need the **why* it is this way, open a support case or ask the same on the IRC channel #splunk @ efnet.org*

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi chris,

I cannot answer why it is this way; but from my experience and tests I can try to answer on how to use it.
Let's start with the difference of where and search:

  • Use where if you want to compare two fields value
  • Use search if you want to search for a field containing a string or value

Next, there is a little hint in the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.

If the expression references literal strings that contains non-alphanumeric characters, it needs to be surrounded by double quotes; for example, new="server-"+count.

Now, let's test this with this run everywhere commands, all done on the same server over Previous week timerange:

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>=foo
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>=15
| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">=15

All the above searches will work, because they use the correct search syntax and the result is 108 events.

| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">="15"
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>="15"

The above searches will return wrong events, because they search for literal string values of 15, the result is 566 events.

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">="foo"
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">=foo

The above searches will not work, because it will references literal strings that contains non-alphanumeric characters as field, the result in this case is 811 or all events.

| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where server.active_hist_searches>=foo
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>="foo"

This will not work at all, returning 0 events.

So, after all this testing I can say the following:

  • use ' single quotes when using the where command
  • use " double quotes or no quotes when using the search command

Hope this helps ....

cheers, MuS

PS: if you need the **why* it is this way, open a support case or ask the same on the IRC channel #splunk @ efnet.org*

chris
Motivator

Thanks for testing the different variations.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...