How to search splunk query which includes double quotes in the string to search

Question

I am trying to search for a pattern(see below) in the logs using splunk. The String which I am going to search includes double quotes.

Below info log is printed in the logger..

INFO: o.l.k.SomeClass: {"function": "delete", "tenenId":"15897",.......}

And the string i want to search is "function": "delete"

The splunk query I am trying to execute is.,

index="12585" "\"function\": \"delete\""

I am not quite sure if this is going to work. Any suggestions?

Answer 1

There are probably multiple whitespace characters between function and delete . I suggest you just search for the two phrases separately, rather than together

index="12585" \"function\": \"delete\"

Answer 2

Since your data is in raw format, you can look if the "function" field is automatically extracted by Splunk. If yes, you can simply search for index="index_1" function="delete" else, you can search for index="index_1" "function" "delete" as is, and Splunk will search for function and delete in your raw event.

Answer 3

I was researching for a similar problem where I need to search for exact string match which includes double quotes. It doesn't look like we can directly query with escaped double quote. So we have to use regex .

In your scenario, you could try this query:

index="12585" | regex fieldname=".*\"function\": \"delete\".*"

It will try to run regex match on the fieldname. The regex can be validated in any online regex tester. I haven't figured out how to query with _raw field. Doing _raw=".*\\\"delete\\\".*" doesn't seem to be returning anything..