Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Allowed characters for metadata fields source and sourcetype

helge
Builder
‎02-08-2020 04:20 PM

My question is simple: which characters are allowed for the values of the metadata fields source and sourcetype?

I could not find any documentation on this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acfecondo75
Path Finder
‎02-10-2020 08:07 AM

The values you assign to those fields are arbitrary strings. They can contain any characters within the specified supported character (more info on that here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Configurecharactersetencoding)

View solution in original post

Reply
Solved! Jump to solution
Solution

acfecondo75
Path Finder
‎02-10-2020 08:07 AM

The values you assign to those fields are arbitrary strings. They can contain any characters within the specified supported character (more info on that here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Configurecharactersetencoding)

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-08-2020 05:41 PM 
| makeresults count=256
| streamstats count as code
| eval ascii=printf("%c",code)
| stats values(ascii) as ascii

Configure character set encoding

If the encoding is correct, there should be no problem.

0 Karma
Reply
Solved! Jump to solution

helge
Builder
‎02-08-2020 05:53 PM

@to4kawa I am not sure you understood my question. Also, you should explain (in detail) how the search you posted just now helps answer my question.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-08-2020 06:06 PM

I'm sorry I couldn't meet your request.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-08-2020 05:41 PM

Field name syntax restrictions

Field name syntax restrictions
You can assign field names as follows:

Valid characters for field names are a-z, A-Z, 0-9, or _ .
Field names cannot begin with 0-9 or _ . Splunk reserves leading underscores for its internal variables.
Avoid assigning field names that match any of the default field names.
Do not assign field names that contain international characters.
0 Karma
Reply
Solved! Jump to solution

helge
Builder
‎02-08-2020 05:41 PM

@to4kawa The link you posted does not seem to apply. I am not asking about field names, but field values. I am going to update the question to make this more clear.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...