Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Splunk swears on the field with a dot

metylkinandrey
Communicator
‎09-29-2022 04:32 AM
Good afternoon! We have a need to send a field with a dot in the message: result.code.
But the request in which I specify this field fails.
Request:
index="main" sourcetype="testsystem-script99"
| transaction maxpause=10m srcMsgId Correlation_srcMsgId messageId result.code
| table _time srcMsgId Correlation_srcMsgId messageId result.code
| fields _time srcMsgId Correlation_srcMsgId messageId result.code
| sort srcMsgId _time
| streamstats current=f window=1 values(_time) as prevTime by subject
| eval timeDiff=_time-prevTime
| delta _time as timeDiff
| where (result.code)>0
 
Error:
Error in 'where' command: Type checking failed. The '>' operator received different types.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
 
The error does not occur with the following options: resultcode, result-code, result_code.
Tell me please, what could be the problem?
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2022 05:06 AM

Field names with special characters such as dots should be enclosed in single quotes

 

| where 'result.code'>0

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-29-2022 05:16 AM

Hi @metylkinandrey,

you can use the hint from @richgalloway and @ITWhisperer using quotes or, better in my mind, to rename the field containing dot, especially if you have to use it many times in your searches.

index="main" sourcetype="testsystem-script99"
| rename result.code AS result_code
| transaction maxpause=10m srcMsgId Correlation_srcMsgId messageId result_code
| table _time srcMsgId Correlation_srcMsgId messageId result_code
| sort srcMsgId _time
| streamstats current=f window=1 values(_time) as prevTime by subject
| eval timeDiff=_time-prevTime
| delta _time as timeDiff
| where result_code>0

in addition, you don't need to use fields command after table command.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2022 05:08 AM

Try putting the field name within single quotes.  Single quotes tell Splunk the enclosed text is a field name rather than a literal string and avoids confusion caused by spaces and other odd characters. 

| where 'result.code' > 0
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2022 05:06 AM

Field names with special characters such as dots should be enclosed in single quotes

 

| where 'result.code'>0

 

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎09-29-2022 05:22 AM

wow, it works! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top