Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Splunk swears on the field with a dot

metylkinandrey
Communicator
‎09-29-2022 04:32 AM
Good afternoon! We have a need to send a field with a dot in the message: result.code.
But the request in which I specify this field fails.
Request:
index="main" sourcetype="testsystem-script99"
| transaction maxpause=10m srcMsgId Correlation_srcMsgId messageId result.code
| table _time srcMsgId Correlation_srcMsgId messageId result.code
| fields _time srcMsgId Correlation_srcMsgId messageId result.code
| sort srcMsgId _time
| streamstats current=f window=1 values(_time) as prevTime by subject
| eval timeDiff=_time-prevTime
| delta _time as timeDiff
| where (result.code)>0
 
Error:
Error in 'where' command: Type checking failed. The '>' operator received different types.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
 
The error does not occur with the following options: resultcode, result-code, result_code.
Tell me please, what could be the problem?
Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2022 05:06 AM

Field names with special characters such as dots should be enclosed in single quotes

 

| where 'result.code'>0

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2022 05:16 AM

Hi @metylkinandrey,

you can use the hint from @richgalloway and @ITWhisperer using quotes or, better in my mind, to rename the field containing dot, especially if you have to use it many times in your searches.

index="main" sourcetype="testsystem-script99"
| rename result.code AS result_code
| transaction maxpause=10m srcMsgId Correlation_srcMsgId messageId result_code
| table _time srcMsgId Correlation_srcMsgId messageId result_code
| sort srcMsgId _time
| streamstats current=f window=1 values(_time) as prevTime by subject
| eval timeDiff=_time-prevTime
| delta _time as timeDiff
| where result_code>0

in addition, you don't need to use fields command after table command.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2022 05:08 AM

Try putting the field name within single quotes.  Single quotes tell Splunk the enclosed text is a field name rather than a literal string and avoids confusion caused by spaces and other odd characters. 

| where 'result.code' > 0
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2022 05:06 AM

Field names with special characters such as dots should be enclosed in single quotes

 

| where 'result.code'>0

 

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎09-29-2022 05:22 AM

wow, it works! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...