Quotation marks
In SPL2, you use quotation marks for specific reasons. The following table describes when different types of quotation marks are used:
| Symbol | Description | Examples | 
|---|---|---|
| Single quotation mark ( ' ) | Use single quotation marks around field names that include special characters, spaces, dashes, and wildcards. |  | 
| Double quotation mark ( " ) | Use double quotation marks to enclose all string values. Because string values must be enclosed in double quotation marks, you can reverse the order of field-value pairs. |  | 
| Back tick character ( ` ) | Use back tick characters to enclose a search literal. A search literal is a way to search for one or more terms that appear in your data. For more information, see Search literals in expressions. You have a series of logon events that include failed password events.With a search literal, an AND condition is implied between each of the terms. |  | 
Field names
Field names that begin with anything other than a-z, A-Z, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ).
Field names that contain anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ). This includes the wildcard ( * ) character, the dash ( - ), and the space character.
Field name quotation examples
The following table shows a few examples of when to use quotation marks with field names:
| Example | |
|---|---|
|  | A dash is used in the new field created by the evalcommand, and so the field namelow-useris enclosed in single quotation marks. This example uses thelowerfunction on theusernamefield to return the values in lowercase. | 
|  | A wildcard is used in the SELECT clause to search for all fields that start with "bytes". When a wildcard is used to search for a field name, you must enclose the field name in single quotation marks. | 
|  | Spaces are used to rename the field that is generated when sum(bytes)is calculated. When a field name contains spaces, you must enclose the field name in single quotation marks. | 
|  | A special character is used in the new field created by the evalcommand. When you use a special character or a number as the first character in a field name, the field name must be enclosed in single quotation marks. This example uses theroundfunction on thevaluefield to round the values to two decimal places. | 
|  | A period is used to rename the field that is generated when max(size)is calculated. When a field name contains a special character, you must enclose the field name in single quotation marks. | 
|  | A number is the first character in the field name 5minutes. Field names that start anything other than an alphabetical character or the underscore ( _ ) character must be enclosed in single quotation marks. | 
String values
In your search syntax, enclose all string values in double quotation marks ( " ).
Flexible syntax
Enclosing string values in quotation marks adds flexibility to the ways you can specify the search syntax. 
For example, to search for events where the field action has the value purchase, you can specify either action="purchase" or "purchase"=action. 
search command. For backward compatibility with SPL, the SPL2 search command always expects the field name on the left side of the equal ( = ) sign and the value on the right side of the equal sign.String value quotation examples
The following table shows a few examples of when to use double quotation marks with string values:
| Example | Description | 
|---|---|
|  | The WHERE clause contains a string value for the actionfield. The string value must be enclosed in double quotation marks. | 
|  | Because string values must be in double quotation marks, the syntax becomes flexible. You don't need to adhere to the syntax field=value. In this example the string value"purchase"is specified before the field nameaction. | 
|  | The searchrequires the field to come before the valuefield=value. The string value must be enclosed in double quotation marks. | 
|  | A wildcard character is used in the string value for the sourcetypefield. When you use a wildcard to search for similar values, the string value with the wildcard must be enclosed in double quotation marks. | 
|  | IP addresses are an example of a number that is interpreted as a string value. These types of numbers must be enclosed in double quotation marks. Without the quotation marks, punctuation symbols, like periods, are interpreted as minor breakers in event data. See Event segmentation and searching. | 
|  | Forward slashes ( / ) and colons ( : ) are used in the timestamp string value for the earliestkeyword. Timestamps are an example of string values that must be enclosed in double quotation marks. Without the quotation marks, these punctuation symbols are interpreted as minor breakers in event data. |