How Splunk field contains double quote - splunk

When use Splunk, if we have log
key="hello"
Search in Splunk by
* | table a
we can see hello value
We might print out value with double quote, if we don't escape
key="hel"lo"
We'll see key value is hel. Value breaks before the position of quote
If try to escape double quote with \,
key="hel\"lo"
We'll see key value is hel\
Is use single quote around
key='hel"lo'
We'll see key value include single quotes, it's 'hello"lo'. In this case, search criteria should be
* key="'ab\"c'" | table a
single quotes are parts of value
Question is how to include double quote as part of value?
Ideally, there should be a way to escape double quotes, input
key="hel\"lo"
should match the query
key="hel\"lo"
But it's not.
I have this problem for many years. Splunk value is dynamic, it could contain double quotes. I'm not going to use JSON my log format.
I'm curious why there is no answer in Splunk's official website.
Someone can help? Thanks.

| makeresults
| eval bub="hell\"o"
| table bub
Puts a double-quote mark right in the middle of the bub field
If you want to search for the double-quote mark, use | where match() like this:
| where match(bub,"\"")

Ideally, the data source would not generate events with embedded quotes without escaping them. Otherwise, how would a reader know the quote is embedded and not mismatched? This is the problem Splunk is struggling with.
The fix is to create your own parser using transforms.
In props.conf:
[mysourcetype]
TRANSFORMS-parseKey = parse_key
In transforms.conf:
[parse_key]
REGEX = (\w+)="(.*\".*)"
FORMAT = $1::$2
Of course, this regex is simplified. You'll need to modify it to match your data.

Related

element in a array contains double quotation

I would like to have ""apple"" as the element in the array as the output. The sad thing is it has to be in this kind of format.
But presto automatically added the escape character "/". (i.e "/"apple/"")
How do I get rid of it
Simply use two double quotes around the string apple ""apple""

How to include apostrophe in character set for REGEXP_SUBSTR()

The IBM i implementation of regex uses apostrophes (instead of e.g. slashes) to delimit a regex string, i.e.:
... where REGEXP_SUBSTR(MYFIELD,'myregex_expression')
If I try to use an apostrophe inside a [group] within the expression, it always errors - presumably thinking I am giving a closing quote. I have tried:
- escaping it: \'
- doubling it: '' (and tripling)
No joy. I cannot find anything relevant in the IBM SQL manual or by google search.
I really need this to, for instance, allow names like O'Leary.
Thanks to Wiktor Stribizew for the answer in his comment.
There are a couple of "gotchas" for anyone who might land on this question with the same problem. The first is that you have to give the (presumably Unicode) hex value rather than the EBCDIC value that you would use, e.g. in ordinary interactive SQL on the IBM i. So in this case it really is \x27 and not \x7D for an apostrophe. Presumably this is because the REGEXP_ ... functions are working through Unicode even for EBCDIC data.
The second thing is that it would seem that the hex value cannot be the last one in the set. So this works:
^[A-Z0-9_\+\x27-]+ ... etc.
But this doesn't
^[A-Z0-9_\+-\x27]+ ... etc.
I don't know how to highlight text within a code sample, so I draw your attention to the fact that the hyphen is last in the first sample and second-to-last in the second sample.
If anyone knows why it has to not be last, I'd be interested to know. [edit: see Wiktor's answer for the reason]
btw, using double quotes as the string delimiter with an apostrophe in the set didn't work in this context.
A single quote can be defined with the \x27 notation:
^[A-Z0-9_+\x27-]+
^^^^
Note that when you use a hyphen in the character class/bracket expression, when used in between some chars it forms a range between those symbols. When you used ^[A-Z0-9_\+-\x27]+ you defined a range between + and ', which is an invalid range as the + comes after ' in the Unicode table.

Retrieving the value which have '#' character in ColdFusion

I'm trying to assign the value of a column from the query to a variable using cfset tag. For example, if the value is 'abcd#1244', then if I use <cfset a = #trim(queryname.column)#> it will return only abcd. But I need the whole value of that column.
You will need to escape the # symbol. You can get clever and do it all in one swoop (# acts as an escape character when placed next to another #).
Example being
The item## is #variable#.
In order to print "The item# is 254."
There are plenty of text and string functions at your disposal.
I'd recommend first trying to escape the value as soon as it is drawn from your database.
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec1a60c-7ffc.html

How to "unmold" a string?

I'm using this library to convert a block to a CSV. However, when it encounters a string with a comma in it it molds that string. Normally not a problem except that the curly-braces seem to confuse Excel.
So, {This, is a test} gets turned into | {this | is a test} | (each side of the comma is put into separate cells).
At first I thought I needed to escape the comma but it turns out what I need to do is turn the curly braces into quotes. Is there a quick or REBOL-recommended way to do this?
The purpose of 'MOLD in %csv.r is to wrap values containing commas into double quotes.
But unfortunately 'MOLD puts strings longer than 50 characters into curly braces instead of double quotes, for better readability.
I don't know how to affect this behaviour, so I would just replace 'MOLD in Item: mold Item and Heading: mold Heading with 'DBL-QUOTE, which would simply be defined as
dbl-quote: func[s][rejoin [{"} s {"}]]
Use csv-tools.r instead. It has that functionality built in, and is verified to be Excel compatible. It will work with Rebol 2 and 3, and has been in production use for years.

Objective C Regex- Numbers in NSStrings

I have a number of NSStrings I need to parse/regex and get the numbers 187,215; 181,170; 69,63; etc etc out.
a:2:{i:0;s:3:"187";i:1;s:3:"215";}
a:2:{i:0;s:3:"181";i:1;s:3:"170";}
a:2:{i:0;s:2:"69";i:1;s:2:"63";}
Anyone can help out?
Assuming:
The items you are trying to grab are only numbers (with no other chars inside).
If you know your numbers (or whatever inside the quotes) is what you need, you can search for the quotes that surround them.
The quotes are only used to contain the item (digits) you are searching for.
If you want numbers and surrounding quotes
"\d+?" Example
This will grab any digits (one or more digit due to the +) inside of quotes. Since regex is normally "greedy", adding the ? after the + will make it "non-greedy", or it will stop processing and looking for digits after it hits the NEXT quote instead of processing until it find the last quote.
If you want just the numbers
(?<=")\d+?(?=") Example
This is similar to the previous regex, the only difference is the exclusion of the quotes from the returned item. Including the quotes in the regex will match them positively and then return them back. This regex uses positive look-ahead and look-behinds to ensure that the pattern we are looking for \d+? is preceded by a quote and followed by a quote.