How do I escape values in Splunk?

Asked 30/7, 2015 at 9:19 Answered 4/10, 2022 at 19:20

Splunk best practices say to use key/value pairs. It also says to wrap values in quotes if they contain spaces. So, let's say I have a raw value of Fred Smith:

my_key=name my_value="Fred Smith"

That's fine, I've added the quotes. But what if I have a raw value of " Fred Smith" (note the quotes already present and the presence of a space at the start) - this would yield:

my_key=name my_value="" Fred Smith""

This would be treated as:

my_key=name my_value=""
my_key=Fred my_value=Smith""

What are the best practices for escaping quotes in Splunk values?

Tincal answered 30/7, 2015 at 9:19 Comment(1)

Have you tried using a backslash on the quote? That seems to work for me in the search field. – Philipines 6/8, 2015 at 18:32

If you control the data format, which it appears you do, your options include:

Add single quotes around everything.
Use double-quotes, but escape the inner ones with backslashes
Use JSON to represent the data instead of a flat string of KV pairs. JSON syntax handles this quoting case (without adding extra quote marks), plus you can add nested structure if you want.

You can control the search-time field extraction behavior by setting KV_MODE. You may find that auto_escaped will do the trick. See Setting KV_MODE for search-time data in the Splunk Knowledge Manager manual.

Outlook answered 13/8, 2015 at 15:55 Comment(0)

Try "my_value=\"Fred Smith". Key and value between double quotes but the intern double quote with escape \".

Gambrell answered 4/10, 2022 at 19:20 Comment(0)

Recommended topics

Hot tags