Solved: Lookup: Escaping quotation character in field valu...

MHibbin · ‎11-21-2012

Hi SB,

Playing around with lookup tables and it appears I can not have an escaped quotation character (e.g. ") within a field in my lookup file.... Unless i'm being very "thick" today and have missed something. I thought I could trying enclosing my string in a set of '' (e.g. 'foo \"bar\"'), but this apparently doesn't work?

I've had a look at the configuration file and can not see a method for changing the quotation character for lookups.

Can anyone help here?

Cheers.

P.S Apologies if this has been asked already, not seen anything on my search... Also, apologies again if I'm just being stupid.

MHibbin · ‎11-21-2012

Okay, in the mean time I have work around using the \x special character and the hex equivalent of ". Using this in my example above this would be:

foo \x22bar\x22

This (if you haven't already guessed) is for regex... it's added/modified from the Splunkweb and then used in scripts in the background. This is for an odd use-case.

Any other suggestions are welcome of course.

View solution in original post

MHibbin · ‎11-21-2012

Okay, in the mean time I have work around using the \x special character and the hex equivalent of ". Using this in my example above this would be:

foo \x22bar\x22

This (if you haven't already guessed) is for regex... it's added/modified from the Splunkweb and then used in scripts in the background. This is for an odd use-case.

Any other suggestions are welcome of course.

Lookup: Escaping quotation character in field value

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases