- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I remove the double quotes from my token va...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my form, I'm trying to search on a value that might be in two places. The value is derived from a token. The issue is that one of the places, the token value is the whole field, and in another, it's a part of the field. So the first part ( | search patid = $pat1$) works, but the second part ( | search patid=$pat1$) doesn't work because it puts quotes in (evaluates as | search patid="5379345"). Obviously I'm clueless, can someone point me in the right direction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I couldn't get the suggested methods to work (probably I'm doing something else wrong), but I managed to get what I needed by using a rex to pull the value out of the second field and then do a search like so:
| rex field=altpat "\w*^\w*^\w*^\w*^\w*~(?
| search (patid = $patid$) OR (altpatid = $patid$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I couldn't get the suggested methods to work (probably I'm doing something else wrong), but I managed to get what I needed by using a rex to pull the value out of the second field and then do a search like so:
| rex field=altpat "\w*^\w*^\w*^\w*^\w*~(?
| search (patid = $patid$) OR (altpatid = $patid$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gregbo requesting you to accept your own answer to mark this question as answered. Also while posting code use Code button on Splunk Answers i.e. 101010 or Shortcut Ctrl+K, so that special character does not escape.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's odd, I thought I did use Ctrl+K...I'll have to see what I did wrong..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gregbo while posting the code use the code button i.e. 101010 or shortcut key Ctrl+K. You might have to add more details from your code/data around your issue. Like what is the code for setting the patid token. What is the query where first $patid$ is set and used for search filter? and what is the query where second $patid$ is set for search filter. What is the value you want to use in both the places?
Can you try Token escape character i.e. |s to escape token value as string
| search patid=$patid|s$
And
| search patid=*$patid|s$*
Or may be use double quotes around existing token filter:
| search patid="$patid$"
And
| search patid="*$patid$*"
Please add the details as requested if your issue is not resolved!
| makeresults | eval message= "Happy Splunking!!!"
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
