https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635614#M220828 <P>If I remember correctly there were some issues with leading/trailing spaces when using the interesting fields <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a> 's idea is a way to verify it.</P> Thu, 23 Mar 2023 05:36:06 GMT PickleRick 2023-03-23T05:36:06Z https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635537#M220798 <P>I am trying to build an Alert for login failures in AWS CloudTrail. In general I have it working -- but my joins are missing some of the desired events.&nbsp; Specifically, I am building an 'index' value consisting of the username+IP, e.g.</P><PRE>| eval user_IP = username + src_ip</PRE><P>but I now see that some seemingly-identical values are being evaluated as separate. For instance, when you click on the Selected Values view (left-side in the results) there will be 2 separate entries which -- at least on-screen -- appear to be identical.</P><P>WHAT THE POPUP SHOWS</P><PRE>user_IP<BR />2 Values, 100% of events<BR /><BR />Values&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Count<BR />firstuser172.31.1.1&nbsp;&nbsp; 2<BR />firstuser172.31.1.1&nbsp;&nbsp; 1</PRE><P>I suspect there is a hidden character in the second Value. Or, maybe a trailing space (though there is none when I try adding each to the search).</P><P>----</P><P>How can I modify my 'eval' to generate values without hidden characters?</P><P>(I already tried adding a lower() function but without success)</P> Wed, 22 Mar 2023 21:01:31 GMT https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635537#M220798 ttovarzoll 2023-03-22T21:01:31Z https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635607#M220820 <P>One way to check is to bracket the string.</P><LI-CODE lang="markup">| eval user_IP = "&gt;" . username . src_ip . "&lt;"</LI-CODE> Thu, 23 Mar 2023 05:03:41 GMT https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635607#M220820 yuanliu 2023-03-23T05:03:41Z https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635614#M220828 <P>If I remember correctly there were some issues with leading/trailing spaces when using the interesting fields <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a> 's idea is a way to verify it.</P> Thu, 23 Mar 2023 05:36:06 GMT https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635614#M220828 PickleRick 2023-03-23T05:36:06Z https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635747#M220880 <P>Aha! yes, that's a good trick. At first I didn't understand how that would fix the problem but then I realized that it was the perfect troubleshooting step -- and it demonstrated that <STRONG>there was a trailing space</STRONG>.</P><P>So, I have now modified my eval statement and confirmed that I am now receiving the missing events</P><LI-CODE lang="markup">| eval user_IP = username . trim(src_ip)</LI-CODE><P>&nbsp;I also had to add matching trim() statements to several other references to 'username' throughout the SPL query.</P> Thu, 23 Mar 2023 16:13:47 GMT https://community.splunk.com/t5/Splunk-Search/Are-hidden-characters-breaking-my-joins/m-p/635747#M220880 ttovarzoll 2023-03-23T16:13:47Z