Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you search on a form token that has a value enclosed in double quotes?

cphair
Builder
‎07-18-2014 10:59 AM

Hello. I know variants of this question have been asked before, but I haven't found a solution for my specific case. I have a form that accepts a text value for a user and passes it to the search as a parameter (user="$user$"). Mostly this works fine, but in a few cases the user value is enclosed in quotes (e.g. "someaccount" instead of someaccount). If I pass user="someaccount" to the search, it doesn't match because it ignores the quotes. I would like to run this through a macro that fixes the quote situation, but I can't find one that works. The closest I got was user=`foo("someaccount")` where foo was an eval-based macro: replace("$token$", "([\"])", "\\\\\1"). I don't want to have to use *useraccount* to match "useraccount", and I don't want to use rex later in the search because I want to filter on the user field in the base query. Is there a way to make the macro work?

P.S. I can't use Sideview for this dashboard, and anyway I would like a solution that works from the search bar too.

0 Karma
Reply

somesoni2
Revered Legend
‎07-18-2014 01:05 PM

Where are this token used, in the base search as a filter or in an eval statement.

Take a look at this runanywhere example.

|gentimes start=-1 | eval user="somesh \"somesh\"" | table user| makemv user | mvexpand user | eval isPresent=if(match(user,"(\")*"."somesh"."(\")*"),1,0)

You can put this match statement in your macro.

Update

If the value of the $user$ can only be "user" or "\"user\"", the you can try this in base search

index=yourIndex sourcetype=yoursourcetype (user="$user$" OR user="\"$user$\"") ... | rest of the search
Reply

cphair
Builder
‎07-18-2014 01:34 PM

Base search. That's why it's complicated. I can get it to work with a later eval, but not in the base search.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...