https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399447#M169430 <P><STRONG>Note:</STRONG> The question is not "how do I search for a field with the name of <CODE>tag</CODE>", but "what other field name(s) behave like this"? </P> <P>We recently ran into this case:</P> <UL> <LI>A user logged a message that included the text <CODE>tag="some stuff"</CODE></LI> <LI>User tried to search by that field, but gets an error like <CODE>unable to find tag "some stuff"</CODE></LI> </UL> <P><CODE>tag</CODE> appears to be a reserved word, but I was unable to find a list of any other cases like this. It's unfortunate that the tags functionality (which isn't in use) uses the same syntax as field matching here.</P> <P>We'd like to add some code to warn on this kind of case, is there a list of all such keywords which, when searching <CODE>keyword=foo</CODE>, would not actually match the field name <CODE>keyword</CODE>?</P> Tue, 15 May 2018 18:36:58 GMT krisreeves 2018-05-15T18:36:58Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399447#M169430 <P><STRONG>Note:</STRONG> The question is not "how do I search for a field with the name of <CODE>tag</CODE>", but "what other field name(s) behave like this"? </P> <P>We recently ran into this case:</P> <UL> <LI>A user logged a message that included the text <CODE>tag="some stuff"</CODE></LI> <LI>User tried to search by that field, but gets an error like <CODE>unable to find tag "some stuff"</CODE></LI> </UL> <P><CODE>tag</CODE> appears to be a reserved word, but I was unable to find a list of any other cases like this. It's unfortunate that the tags functionality (which isn't in use) uses the same syntax as field matching here.</P> <P>We'd like to add some code to warn on this kind of case, is there a list of all such keywords which, when searching <CODE>keyword=foo</CODE>, would not actually match the field name <CODE>keyword</CODE>?</P> Tue, 15 May 2018 18:36:58 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399447#M169430 krisreeves 2018-05-15T18:36:58Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399448#M169431 <P>You can search by escaping the double quotation.</P> <PRE><CODE>index=XXX "tag=\"some stuff\"" </CODE></PRE> <P>The following are used in the basic search part.<BR /> ※If there is a shortage, please someone supplement.</P> <P>Internal fields<BR /> _raw, _time, _indextime, _cd</P> <P>Basic default fields<BR /> host, index, linecount, punct, source, sourcetype, splunk_server, timestamp</P> <P>Default datetime fields<BR /> date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone</P> <P>etc<BR /> tag,eventtype,earliest,latest</P> Tue, 29 Sep 2020 19:29:12 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399448#M169431 HiroshiSatoh 2020-09-29T19:29:12Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399449#M169432 <P>@krisreeves for the data that you have ingested seems like there is <CODE>tag</CODE> (and possibly <CODE>eventtype</CODE>) created.<BR /> You would need to create a <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX">Field Extraction</A> to name the field something other than <CODE>tag</CODE> like <CODE>Tag</CODE> with uppercase <CODE>T</CODE>.</P> Wed, 16 May 2018 08:19:00 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399449#M169432 niketn 2018-05-16T08:19:00Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399450#M169433 <P>This is good to know! My question is, however, different: I'm looking to know which, if any, other field names behave like this so that we can avoid using them entirely</P> Wed, 16 May 2018 15:16:44 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399450#M169433 krisreeves 2018-05-16T15:16:44Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399451#M169434 <P>So far, beyond the default fields listed here: <A href="https://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Aboutdefaultfields">https://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Aboutdefaultfields</A></P> <P>There is <CODE>tag</CODE> and <CODE>eventtype</CODE></P> Thu, 17 May 2018 23:30:10 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399451#M169434 krisreeves 2018-05-17T23:30:10Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399452#M169435 <P>The following are used in the basic search part.<BR /> ※If there is a shortage, please someone supplement.</P> <P>Internal fields<BR /> _raw, _time, _indextime, _cd</P> <P>Basic default fields<BR /> host, index, linecount, punct, source, sourcetype, splunk_server, timestamp</P> <P>Default datetime fields<BR /> date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone</P> <P>etc<BR /> tag,eventtype,earliest,latest</P> Tue, 29 Sep 2020 19:34:50 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399452#M169435 HiroshiSatoh 2020-09-29T19:34:50Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399453#M169436 <P>Ah, of course -- I should have thought about earliest and latest <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> If you could edit this into your answer I'd like to accept this as the answer?</P> Fri, 18 May 2018 15:06:36 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-list-of-unusable-field-names/m-p/399453#M169436 krisreeves 2018-05-18T15:06:36Z