Splunk® Cloud Services

SPL2 Search Manual

Quotation marks

In SPL2, you use quotation marks for specific reasons. The following table describes when different types of quotation marks are used:

Symbol Description Examples
Single quotation mark ( ' ) Use single quotation marks around field names that include special characters, spaces, dashes, and wildcards.

SELECT 'host*' FROM main ...

FROM main SELECT avg(cpu_usage) AS 'Avg Usage'

Double quotation mark ( " ) Use double quotation marks to enclose all string values. Because string values must be enclosed in double quotation marks, you can reverse the order of field-value pairs.

FROM main WHERE user="ladron"

FROM my_index WHERE sourcetype="syslog"

FROM my_index WHERE "syslog"=sourcetype

Back tick character ( ` ) Use back tick characters to enclose a search literal. A search literal is a way to search for one or more terms that appear in your data. For more information, see Search literals in expressions.

You have a series of logon events that include failed password events.

With a search literal, an AND condition is implied between each of the terms.

SELECT _time, source FROM main WHERE `invalid user sshd[5258]`

FROM main WHERE `user "ladron" from 192.0.2.0/24`

Field names

Field names that begin with anything other than a-z, A-Z, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ).

Field names that contain anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ). This includes the wildcard ( * ) character, the dash ( - ), and the space character.

Field name quotation examples

The following table shows a few examples of when to use quotation marks with field names:

Example

...| eval 'low-user' = lower(username)

A dash is used in the new field created by the eval command, and so the field name low-user is enclosed in single quotation marks. This example uses the lower function on the username field to return the values in lowercase.

| SELECT 'bytes*' FROM main ...

A wildcard is used in the SELECT clause to search for all fields that start with "bytes". When a wildcard is used to search for a field name, you must enclose the field name in single quotation marks.

...| stats sum(bytes) AS 'Sum of bytes'

Spaces are used to rename the field that is generated when sum(bytes) is calculated. When a field name contains spaces, you must enclose the field name in single quotation marks.

...| eval '$currency' = round(value, 2)

A special character is used in the new field created by the eval command. When you use a special character or a number as the first character in a field name, the field name must be enclosed in single quotation marks. This example uses the round function on the value field to round the values to two decimal places.

... | stats max(size) AS 'max.size'...

A period is used to rename the field that is generated when max(size) is calculated. When a field name contains a special character, you must enclose the field name in single quotation marks.

... WHERE '5minutes'="late"

A number is the first character in the field name 5minutes. Field names that start anything other than an alphabetical character or the underscore ( _ ) character must be enclosed in single quotation marks.

String values

In your search syntax, enclose all string values in double quotation marks ( " ).

Flexible syntax

Enclosing string values in quotation marks adds flexibility to the ways you can specify the search syntax. For example, to search for events where the field action has the value purchase, you can specify either action="purchase" or "purchase"=action.

The only exception for the quotation requirement is with the search command. For backward compatibility with SPL, the SPL2 search command always expects the field name on the left side of the equal ( = ) sign and the value on the right side of the equal sign.

String value quotation examples

The following table shows a few examples of when to use double quotation marks with string values:

Example Description

| FROM buttercupgames WHERE action="purchase" AND status=200 ...

The WHERE clause contains a string value for the action field. The string value must be enclosed in double quotation marks.

| FROM buttercupgames WHERE "purchase"=action AND status=200 ...

Because string values must be in double quotation marks, the syntax becomes flexible. You don't need to adhere to the syntax field=value. In this example the string value "purchase" is specified before the field name action.

| search buttercupgames action="purchase" status=200 ...

The search requires the field to come before the value field=value. The string value must be enclosed in double quotation marks.

| FROM my_dataset WHERE sourcetype="access_*" ...

A wildcard character is used in the string value for the sourcetype field. When you use a wildcard to search for similar values, the string value with the wildcard must be enclosed in double quotation marks.

| FROM main WHERE clientip="192.0.2.14"...

IP addresses are an example of a number that is interpreted as a string value. These types of numbers must be enclosed in double quotation marks. Without the quotation marks, punctuation symbols, like periods, are interpreted as minor breakers in event data. See Event segmentation and searching.

...earliest="10/5/2020:20:00:00"

Forward slashes ( / ) and colons ( : ) are used in the timestamp string value for the earliest keyword. Timestamps are an example of string values that must be enclosed in double quotation marks. Without the quotation marks, these punctuation symbols are interpreted as minor breakers in event data.
Last modified on 27 July, 2021
Wildcards   When to escape characters

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters