Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the "safe" character set to use for field names, especially in lookups?

cphair
Builder
‎07-23-2019 05:55 AM

What is the "safe" character set to use for field names, especially in lookups? By "safe" I mean "no need to quote-escape in a search." I know [a-zA-Z0-9_] works--is there anything else? Periods are sort of valid, but they can do funny things in evals. Basically I'm looking for a secondary separator character in addition to the underscore.

The only official Splunk doc I could find on the topic was the indexed field extraction doc (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), but I don't need to define these at index time or in the conf files.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skalliger
Motivator
‎07-25-2019 01:00 AM

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

View solution in original post

0 Karma
Reply
Solved! Jump to solution

twjack
Explorer
‎03-07-2020 04:14 PM

I'm a bit desperate, I'm trying to normalize all field names and remove special characters (https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters) so that a following "foreach" doesn't throw an error. All field names should only contain valid characters.

Can anyone help me?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-07-2020 04:39 PM

I think you are right. but this question is accepted and closed.
please ask another.

0 Karma
Reply
Solved! Jump to solution

Graham_Hanningt
Builder
‎08-01-2019 08:26 PM

Not an answer, and setting aside your understandable "no need to quote-escape" qualification: I have just been searching the Splunk docs for the set of characters allowed in field names. The documentation is inconsistent. Different topics cite different sets of characters.

From Splunk docs / Documentation / Splunk Enterprise / Getting Data In / Create custom fields at index time:

Field name syntax restrictions

You can assign field names as follows:

  • Valid characters for field names are a-z, A-Z, 0-9, or _ .

Similarly, from Splunk docs / Documentation / Splunk Cloud / Knowledge Manager Manual / Field Extractor: Select Fields step:

Field names must start with a letter and contain only letters, numbers, and underscores.

But then, Splunk docs / Documentation / Splunk Enterprise / Knowledge Manager Manual / About regular expressions with field extraction:

Proper field name syntax
Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.

adds the period (.) and colon (:).

Reply
Solved! Jump to solution
Solution

skalliger
Motivator
‎07-25-2019 01:00 AM

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

0 Karma
Reply
Solved! Jump to solution

andygerberkp
Explorer
‎08-23-2022 07:59 AM

This is incorrect; the text above is from an SPL2 page, not an SPL page.  The correct info is this:

Proper field name syntax

Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
  • Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.

which can be found here:

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutregularexpressionswithfieldextrac...

0 Karma
Reply
Solved! Jump to solution

cphair
Builder
‎07-25-2019 05:10 AM

I was afraid of that. Would be nice if there were a second separator-like character, but I'll make do. Thank you for confirming.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-25-2019 01:40 AM

@cphair you can refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutregularexpressionswithfieldextrac...

Also you can try creating a Field Extraction using Interactive Field Extractor where you will get Field names must start with a letter and contain only letters, numbers, and underscores. warning in case you provide invalid field name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...