https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122450#M32984 <P>Consider going with a structured format such as JSON:</P> <PRE><CODE>{ "timestamp": "...", "client_host": "...", "client_id": "...", "report_id": "...", "data": [ {"domain": "...", "duration": 123}, {"domain": "...", "duration": 456}, ... ] } </CODE></PRE> <P>Very easy to parse and work with afterwards, for any number of data points in a single event.</P> <P>As for your last question, please rephrase - I don't quite grasp what you're asking for.</P> Mon, 17 Nov 2014 17:47:58 GMT martin_mueller 2014-11-17T17:47:58Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122447#M32981 <P>Hi<BR /> I have the following logs:</P> <PRE><CODE>10/01/2014 00:00:00 -0500, client_host="172.24.1.41", client_id=db01, report_id=RAS04, igoogleinicio.com=3491, webair.com=13148 10/01/2014 00:00:00 -0500, client_host="172.24.1.41", client_id=db01, report_id=RAS04, smtp.ec.pe=1313, your-server.de=13148 </CODE></PRE> <P>These data need to view them as a table: ... | table *<BR /> And show me the header like this:</P> <PRE><CODE>client_host | client_id | report_id | igoogleinicio_com | webair_com | smtp_ec_br | your_server_de </CODE></PRE> <P>As you can see, the fields that have: _ and . are replaced by _ (underline).<BR /> There will be no way around this?<BR /> I thank You in advance.</P> <P>Regards<BR /> Jorge</P> Sun, 16 Nov 2014 19:11:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122447#M32981 jrodriguezap 2014-11-16T19:11:46Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122448#M32982 <P>You could set up your own key-value extraction with <CODE>CLEAN_KEYS = false</CODE>... however, that often gets you into trouble when using field names that have non-word characters in them. For example, running <CODE>... | eval foo = your-server.de</CODE> will look for fields called <CODE>your</CODE>, <CODE>server</CODE>, and <CODE>de</CODE> and perform subtraction resp. string concatenation on their values.</P> <P>I'd say the greater issue here is that you have values used as field names. Your events would be nicer to use if they looked like this: <CODE>... server=your-server.de duration=13148</CODE>. Then you'd have no trouble with cleaned keys and an easy time building reports off the data generically without knowing the domains... which you need to if they're the field names.</P> Sun, 16 Nov 2014 23:00:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122448#M32982 martin_mueller 2014-11-16T23:00:32Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122449#M32983 <P>Thanks for the tip.<BR /> I wish it were as comets, but those who come are dynamic fields, often reaching 10 to 20 "fields =" with different domain names.<BR /> consultation, which would put the value CLEAN_KEYS<BR /> Currently the SourceType is "report" and am configuring props.conf</P> <PRE><CODE>[report] REPORT-rpt_1=no_clean_keys </CODE></PRE> <P>In transforms.conf</P> <PRE><CODE>[no_clean_keys] DELIMS = ",", "=" CAN_OPTIMIZE = false MV_ADD = true CLEAN_KEYS = false </CODE></PRE> <P>Extract the fields well, as needed. But keep the above fields, there will be way to clean?</P> Mon, 17 Nov 2014 00:03:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122449#M32983 jrodriguezap 2014-11-17T00:03:22Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122450#M32984 <P>Consider going with a structured format such as JSON:</P> <PRE><CODE>{ "timestamp": "...", "client_host": "...", "client_id": "...", "report_id": "...", "data": [ {"domain": "...", "duration": 123}, {"domain": "...", "duration": 456}, ... ] } </CODE></PRE> <P>Very easy to parse and work with afterwards, for any number of data points in a single event.</P> <P>As for your last question, please rephrase - I don't quite grasp what you're asking for.</P> Mon, 17 Nov 2014 17:47:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122450#M32984 martin_mueller 2014-11-17T17:47:58Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122451#M32985 <P>Hi Martin<BR /> What is happening after setting the props and transforms, is showing me the above fields and new fields</P> <PRE><CODE>client_host | client_id | report_id | igoogleinicio_com | igoogleinicio.com | webair_com | webair.com | smtp_ec_br | smtp.ec.br | your_server_de | your-server.de </CODE></PRE> Mon, 17 Nov 2014 18:07:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122451#M32985 jrodriguezap 2014-11-17T18:07:27Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122452#M32986 <P>The original key-value extractions are still active. Set <CODE>KV_MODE = none</CODE> in props.conf to turn them off.</P> Mon, 17 Nov 2014 18:14:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122452#M32986 martin_mueller 2014-11-17T18:14:22Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122453#M32987 <P>Excellent @martin_mueller!!!<BR /> I knew you could<BR /> thank you very much</P> Mon, 17 Nov 2014 18:23:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122453#M32987 jrodriguezap 2014-11-17T18:23:36Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122454#M32988 <P>I still maintain that using varying domains as field names is going to end in tears...</P> Mon, 17 Nov 2014 18:24:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122454#M32988 martin_mueller 2014-11-17T18:24:59Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122455#M32989 <P>Martin understand, this is for a report that is generated monthly with a "bucket"<BR /> For example: Top 3 mailserver for day<BR /> This is stored in a summary, and then it is called by some dashboards.<BR /> Thankz</P> <P>Jorge</P> Mon, 17 Nov 2014 18:28:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122455#M32989 jrodriguezap 2014-11-17T18:28:05Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122456#M32990 <P>How is that <CODE>top 3 mailserver</CODE> supposed to work if your mailserver domains are the field names?</P> <P>...oh well, as long as it works for you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 17 Nov 2014 18:29:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-field-names-with-periods-OR-hyphens-from-getting/m-p/122456#M32990 martin_mueller 2014-11-17T18:29:48Z