How can I handle special characters from my log li...

tcmarquesi · ‎11-06-2015

There is a field in my log which can assume special characters as values, as below.

action="A";parm="asdfg";ans="OK"
action="w";parm="qwert";ans="OK"
action=" ";parm="NULL";ans="ERROR"
action="*";parm="NULL";ans="ERROR"

I don't want to remove those character from my log (actually I should not), but I want to be able to find those events in my search.

I tryed to search <i>action="\ "</i> and <i>action="*"</i>, but it didn't work.

How can I search those fields properly?

Thanks,

Tiago

chaker · ‎11-06-2015

Hi,

Take a look at:

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/search

In the Quotes and escaping characters section:

The backslash character () is used to escape quotes, pipes, and itself. Backslash escape sequences are still expanded inside quotes. For example:

The sequence \| as part of a search will send a pipe character to the command, instead of having the pipe split between commands.
The sequence \" will send a literal quote to the command, for example for searching for a literal quotation mark or inserting a literal quotation mark into a field using rex.
The \\ sequence will be available as a literal backslash in the command.

Hope that helps.

How can I handle special characters from my log like blank spaces and asterisk? Is there like a scape character in searching?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life