Getting Data In

Safe characters for field names

Builder

What is the "safe" character set to use for field names, especially in lookups? By "safe" I mean "no need to quote-escape in a search." I know [a-zA-Z0-9_] works--is there anything else? Periods are sort of valid, but they can do funny things in evals. Basically I'm looking for a secondary separator character in addition to the underscore.

The only official Splunk doc I could find on the topic was the indexed field extraction doc (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), but I don't need to define these at index time or in the conf files.

Labels (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

View solution in original post

0 Karma

New Member

I'm a bit desperate, I'm trying to normalize all field names and remove special characters (https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters) so that a following "foreach" doesn't throw an error. All field names should only contain valid characters.

Can anyone help me?

0 Karma

Ultra Champion

I think you are right. but this question is accepted and closed.
please ask another.

0 Karma

Not an answer, and setting aside your understandable "no need to quote-escape" qualification: I have just been searching the Splunk docs for the set of characters allowed in field names. The documentation is inconsistent. Different topics cite different sets of characters.

From Splunk docs / Documentation / Splunk Enterprise / Getting Data In / Create custom fields at index time:

Field name syntax restrictions

You can assign field names as follows:

  • Valid characters for field names are a-z, A-Z, 0-9, or _ .

Similarly, from Splunk docs / Documentation / Splunk Cloud / Knowledge Manager Manual / Field Extractor: Select Fields step:

Field names must start with a letter and contain only letters, numbers, and underscores.

But then, Splunk docs / Documentation / Splunk Enterprise / Knowledge Manager Manual / About regular expressions with field extraction:

Proper field name syntax
Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.

adds the period (.) and colon (:).

0 Karma

SplunkTrust
SplunkTrust

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

View solution in original post

0 Karma

Builder

I was afraid of that. Would be nice if there were a second separator-like character, but I'll make do. Thank you for confirming.

0 Karma

SplunkTrust
SplunkTrust

@cphair you can refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutregularexpressionswithfieldextrac...

Also you can try creating a Field Extraction using Interactive Field Extractor where you will get Field names must start with a letter and contain only letters, numbers, and underscores. warning in case you provide invalid field name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma