All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field values with spaces

tkwaller
Builder
‎04-23-2014 11:11 AM

Hello

I'm trying to use a field that has values that have spaces.

For example: errorMsg=Requested tickets could not be reserved

another example: errorMsg=System.ObjectDisposedException: The factory was disposed and can no longer be used. Object name: 'this'.

The problem is that the messages contain spaces. All of the messages are different in this field, some longer with less spaces and some shorter. When I do a stats count command on the errorMsg field but all I get is the first word of the string.

Any ideas on how I can correct this?

I also tried using the Field Extractor but alas no good.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎04-23-2014 12:03 PM

Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.

source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎04-23-2014 12:24 PM

Both of these seemed to be correct answers. The first solves inline and the second works great as an extraction. Thanks for the help guys, I greatly appreciate it!

0 Karma
Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎04-23-2014 12:03 PM

Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.

source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error

Thanks

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎04-23-2014 11:51 AM

yes after the = sign there is always a message like examples above. It is NEVER NULL. When I use the stats command I only get the first word of the message

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-23-2014 11:50 AM

i meant after = sign do you have the error message or do you get something else??

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎04-23-2014 11:49 AM

but it is always more than one word

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎04-23-2014 11:20 AM

No sometimes it is something more simple as: errorMsg=Requested tickets could not be reserved

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-23-2014 11:17 AM

do you have the entire sentence always as the error message after errorMsg=?

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - October 2025

What’s New?  We’re excited to announce the latest enhancements to Splunk Observability Cloud and share what’s ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...