topic How do you run Splunk query for Field with brackets? in Splunk Search

How do you run Splunk query for Field with brackets?

ratan2257 — Sun, 23 Sep 2018 01:13:44 GMT

It might be a very simple answer, however I am not able to find it so far .

My splunk query has a field name "Size(MB)" . I can not get around with escape character, eval or Rex to run the query with this type of field .

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d **avg(Size(MB))** by DBname

kamlesh_vaghela — Sun, 23 Sep 2018 16:44:13 GMT

@ratan2257

You just need double quotes around the name.

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d avg("Size(MB)") by DBname

Thanks

ratan2257 — Sun, 23 Sep 2018 18:06:23 GMT

Unfortunately that didn't worked.

lakromani — Sun, 23 Sep 2018 18:12:16 GMT

If your data is in for of like this:

bla bla Size(128)

Then you can extract it using regex like this:

index=dbx ServerName="bestserver" sourcetype=stats | rex "Size\((?<Size>[^\)]+)" | timechart span=1d avg(Size) by DBname

ratan2257 — Sun, 23 Sep 2018 18:39:04 GMT

It is not about the data , its Field name it self with brackets () .

lakromani — Mon, 24 Sep 2018 16:11:27 GMT

For me this works: avg("Size(MB)")

You can try to rename the field like this:

your search | rename "Size(MB)" AS Size | timechart span=1d avg(Size) by DBname

PS You do have a space after span in you example. This does not work. Correct is span=1d not span =1d

kamlesh_vaghela — Tue, 25 Sep 2018 12:13:00 GMT

@ratan2257
Is it possible to share the sample event or screenshot of this field and value?