In SPL2, you use quotation marks for specific reasons. The following table describes when different types of quotation marks are used:
|Single quotation mark ( ' )||Use single quotation marks around field names that include special characters, spaces, dashes, and wildcards.|
|Double quotation mark ( " )||Use double quotation marks to enclose all string values. Because string values must be enclosed in double quotation marks, you can reverse the order of field-value pairs.|
|Back tick character ( ` )||Use back tick characters to enclose a search literal. A search literal is a way to search for one or more terms that appear in your data. For more information, see Search literals in expressions.
You have a series of logon events that include failed password events.
Field names that begin with anything other than a-z, A-Z, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ).
Field names that contain anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ). This includes the wildcard ( * ) character, the dash ( - ), and the space character.
Field name quotation examples
The following table shows a few examples of when to use quotation marks with field names:
||A dash is used in the new field created by the |
||A wildcard is used in the SELECT clause to search for all fields that start with "bytes". When a wildcard is used to search for a field name, you must enclose the field name in single quotation marks.|
||Spaces are used to rename the field that is generated when |
||A special character is used in the new field created by the |
||A period is used to rename the field that is generated when |
||A number is the first character in the field name |
In your search syntax, enclose all string values in double quotation marks ( " ).
Enclosing string values in quotation marks adds flexibility to the ways you can specify the search syntax.
For example, to search for events where the field
action has the value
purchase, you can specify either
The only exception for the quotation requirement is with the
search command. For backward compatibility with SPL, the SPL2
search command always expects the field name on the left side of the equal ( = ) sign and the value on the right side of the equal sign.
String value quotation examples
The following table shows a few examples of when to use double quotation marks with string values:
||The WHERE clause contains a string value for the |
||Because string values must be in double quotation marks, the syntax becomes flexible. You don't need to adhere to the syntax |
||A wildcard character is used in the string value for the |
||IP addresses are an example of a number that is interpreted as a string value. These types of numbers must be enclosed in double quotation marks. Without the quotation marks, punctuation symbols, like periods, are interpreted as minor breakers in event data. See Event segmentation and searching.|
||Forward slashes ( / ) and colons ( : ) are used in the timestamp string value for the |
When to escape characters
This documentation applies to the following versions of Splunk® Cloud Services: current