Splunk Search

Quote escaping best practices

stevennoble
Explorer

I'm trying to figure out how I can format my logs such that splunk does not get confused by an escaped quote.
I'm currently doing something like

foo="a bunch of \"text\"" bar="a bunch \"more\" text"

And of course this quite confuses splunk. Assuming we don't want to switch to json how best to deal with quotes since backslash escaping doesn't seem to work.

Tags (2)
1 Solution

jtrucks
Splunk Employee
Splunk Employee

You will have to manually create field extractions to accommodate these logs. Once those are all configured and working, you shouldn't have to worry about auto-extracted fields with bad data. Check out KV_MODE in props.conf to disable auto-extracts for this source, too.

--
Jesse Trucks
Minister of Magic

View solution in original post

stevennoble
Explorer

Been playing with this. It appears KV_MODE = auto_escaped does everything I want

helge
Builder

This is the better answer

0 Karma

jtrucks
Splunk Employee
Splunk Employee

You will have to manually create field extractions to accommodate these logs. Once those are all configured and working, you shouldn't have to worry about auto-extracted fields with bad data. Check out KV_MODE in props.conf to disable auto-extracts for this source, too.

--
Jesse Trucks
Minister of Magic

stevennoble
Explorer

I don't mind escaping at search time. What I do mind is an extracted field of
foo: a bunch of

I can't change to single quotes because there are times where the single quote double quote distinction matters.

0 Karma

lukejadamec
Super Champion

If you use escape characters and quotes in your logs, then you will need to escape them both at search time.
If you don't wan't to escape quotes at search time, then use some a single quote in your logs.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...