Fix: field name quoting

Fixes Single quoting of field names breaking SPL #7

Author: thomaspatzke

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pysigma-backend-splunk"
-version = "0.3.4"
+version = "0.3.5"
 description = "pySigma Splunk backend"
 authors = ["Thomas Patzke <[email protected]>"]
 license = "LGPL-2.1-only"

sigma/backends/splunk/splunk.py

@@ -35,7 +35,7 @@ class SplunkBackend(TextQueryBackend):
     not_token : ClassVar[str] = "NOT"
     eq_token : ClassVar[str] = "="
 
-    field_quote: ClassVar[str] = "'"
+    field_quote: ClassVar[str] = '"'
     field_quote_pattern: ClassVar[Pattern] = re.compile("^[\w.]+$")
 
     str_quote : ClassVar[str] = '"'

tests/test_backend_splunk.py

@@ -39,7 +39,7 @@ def test_splunk_field_name_with_whitespace(splunk_backend : SplunkBackend):
                     field name: valueA
                 condition: sel
         """)
-    ) == ['\'field name\'="valueA"']
+    ) == ['"field name"="valueA"']
 
 def test_splunk_regex_query(splunk_backend : SplunkBackend):
     assert splunk_backend.convert(