bug with eval + isnull and field name with a numeric first character?

brettcave — Wed, 12 Jun 2013 11:50:21 GMT

hi, not sure if this is a bug or i am doing something wrong, I think it has something to do with a fieldname starting with a numeric.

... | eval 24hour="1day" | eval test=if(isnull(24hour),"Yes","No")

error: Error in 'eval' command: The expression is malformed. Expected ).. If I rename the field to "hour24" it works without complaining...

is there a restriction with using fieldnames that have a numeric as first character?

Re: bug with eval + isnull and field name with a numeric first character?

kristian_kolb — Wed, 12 Jun 2013 12:22:04 GMT

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles

Splunk only accepts field names that contain alpha-numeric characters or an underscore:

    Valid characters for field names are a-z, A-Z, 0-9, or _ .
    Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables.
    International characters are not allowed.

You can force splunk to extract fields (through REPORT in props.conf) that start with a number or are all numeric, but there might be problems down the line, like you've experienced. I would not call it a bug, since it's rather well documented, but I understand it can be annoying.

See the section on field extraction in props.conf

http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf

See the CLEAN_KEYS attribute in transforms.conf as well.

http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Transformsconf

CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time. 
  "Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
  than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as 
  well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include 
  non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.

Hope this helps,

Re: bug with eval + isnull and field name with a numeric first character?

brettcave — Wed, 12 Jun 2013 13:00:23 GMT

thanks K, now stored in my internal reference for future use 🙂

topic bug with eval + isnull and field name with a numeric first character? in Splunk Search

bug with eval + isnull and field name with a numeric first character?

Re: bug with eval + isnull and field name with a numeric first character?

Re: bug with eval + isnull and field name with a numeric first character?