topic Re: Strptime bug with fields with spaces or periods in Splunk Search

Strptime bug with fields with spaces or periods

jlucas4 — Mon, 25 Nov 2019 14:06:12 GMT

I came across this bug today when using strptime. Strptime does not work on field names that have spaces or periods.
For example,
epochtime=strptime(first_discovered, "%b %e, %Y %H:%M:%S %Z") works

but

epochtime=strptime(first.discovered, "%b %e, %Y %H:%M:%S %Z")
and
epochtime=strptime("first discovered", "%b %e, %Y %H:%M:%S %Z")

do not work.
Is there a place to fill out a bug report?

Re: Strptime bug with fields with spaces or periods

to4kawa — Mon, 25 Nov 2019 14:15:18 GMT

| makeresults 
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")

Interestingly, the field in the case of function arguments needs to be enclosed in single quotes.

Re: Strptime bug with fields with spaces or periods

woodcock — Mon, 25 Nov 2019 15:17:23 GMT

It is not a bug; use single-quotes, like this:

epochtime=strptime('first discovered', "%b %e, %Y %H:%M:%S %Z")

This is for field names in other places, too. Sometimes you need double-quotes, other times single-quotes, depending on where/how the field name is used. Whitespace in field names is EVIL. ONLY do so on the VERY last line of your SPL with | rename benevolentFieldName AS "Evil FIeld Name"

Re: Strptime bug with fields with spaces or periods

jlucas4 — Mon, 25 Nov 2019 15:35:18 GMT

I completely agree, spaces are evil. Unfortunately, we were monitoring a csv with whitespaces in the field names. Now, we are going to use SEDCMD-replacespace in props.conf so we don't run into that issue anymore.

Do you know what is the reasoning behind not allowing double-quotes in this instance?

Re: Strptime bug with fields with spaces or periods

techiesid — Mon, 25 Nov 2019 15:55:09 GMT

Hi @jlucas4 ,

If you see the splunk documentation for eval command , that would probably answer your question. I am pasting those line below,

If the expression references a field name that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by single quotation marks. For example, if the field name is server-1 you specify the field name like this new=count+'server-1'.
If the expression references a literal string, that string needs to be surrounded by double quotation marks. For example, if the string you want to use is server- you specify the string like this new="server-".host.

https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Eval

Hope this helps.

Sid

Re: Strptime bug with fields with spaces or periods

woodcock — Mon, 25 Nov 2019 16:54:10 GMT

The use of double-quotes both in Splunk and most other languages is generally an indication of a object type of string literal. The fact that sometimes it is used otherwise is unfortunate. In splunk, you can always use $ to indicate this is a field name but I generally do not propose this because eventually most searches end up inside of dashboards/macro/foreach/map and then those searches break. So the general approach should be:
0: DO NOT use spaces in field names but, if you absolutely must:
1: Make sure it works in SPL with $fiend name$ .
2: Try 'fiend name' and if that works, done; otherwise
3: Try "fiend name".

Re: Strptime bug with fields with spaces or periods

to4kawa — Mon, 25 Nov 2019 18:06:05 GMT

| makeresults 
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash_dash=strptime($field.sample$, "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash_dash=strptime($field sample$, "%b %e, %Y %H:%M:%S %Z")

This works, awesome