There is a field in my log which can assume special characters as values, as below.
action="A";parm="asdfg";ans="OK"
action="w";parm="qwert";ans="OK"
action=" ";parm="NULL";ans="ERROR"
action="*";parm="NULL";ans="ERROR"
I don't want to remove those character from my log (actually I should not), but I want to be able to find those events in my search.
I tryed to search <i>action="\ "</i> and <i>action="*"</i>, but it didn't work.
How can I search those fields properly?
Thanks,
Tiago
Hi,
Take a look at:
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/search
In the Quotes and escaping characters section:
The backslash character () is used to escape quotes, pipes, and itself. Backslash escape sequences are still expanded inside quotes. For example:
The sequence \| as part of a search will send a pipe character to the command, instead of having the pipe split between commands.
The sequence \" will send a literal quote to the command, for example for searching for a literal quotation mark or inserting a literal quotation mark into a field using rex.
The \\ sequence will be available as a literal backslash in the command.
Hope that helps.