- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- No results found with Double quotes in a search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No results found with Double quotes in a search
Hi,
Im having issues running 3 searches that previously worked and strangely enough by removing the double quotes on one search it worked.
Search 1. Not working
sourcetype=“SPLUNK_REVEAL_METRICS" "User is logged in." | rename date_mday as MonthDay | rename date_year as Year | rename date_month as Month | stats count as "Logins" by Year,Month,MonthDay
Search 1. Now Working
sourcetype=SPLUNK_REVEAL_METRICS | rename date_mday as Day | rename date_month as Month | rename date_year as Year | stats count as "Logins" by Day,Month,Year
Not working Search 2 & 3
sourcetype=SPLUNK_REVEAL_METRICS | rename date_mday as Day | rename date_month as Month | rename date_year as Year | stats count as "Logins" by Day,Month,Year
sourcetype="SPLUNK_REVEAL_METRICS" "User is logged in." |
rex field=_raw " -(?<User>[^@]+@.*)- User is logged in." |
eval Transaction_Date=strftime(strptime(date_year."-".date_month."-".date_mday,"%Y-%B-%d"),"%Y-%m-%d") |
chart count by User Transaction_Date
Any clues as to this behaviour?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The query still does not return any results and unfortunately i cant provide a sample data set due to compliance. Its strange thats its no longer working when the query hasnt changed in years.
I did make a small change replacing < > with < > due to the following error.
Error in 'rex' command: Encountered the following error while compiling the regex ' -(?<User>[^@]+@.*)- User is logged in.': Regex: syntax error in subpattern name (missing terminator)
sourcetype=SPLUNK_REVEAL_METRICS "User is logged in."
| rex field=_raw " -(?<User>[^@]+@.*)- User is logged in."
| bucket span=1d _time
| chart count by User _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In search #1, your first quotation mark is not a simple quotation mark, it is “
Splunk doesn't like the fancy quotation marks, and it also doesn't match the ending quotation mark (a simple one): "
It's kind of hard to see the difference. But since you aren't required to put quotation marks around sourcetype values in search, removing the marks made search #2 work.
I think search #3 may have an extraneous space in the third rename.
I think you are doing things the hard way in search #4. It is really easy to manipulate the timestamp in Splunk:
sourcetype=SPLUNK_REVEAL_METRICS "User is logged in."
| rex field=_raw " -(?&<User>[^@]+@.*)- User is logged in."
| bucket span=1d _time
| chart count by User _time
Since I don't have a sample of your data, I can't evaluate your rex command.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
