Getting Data In

What is the "safe" character set to use for field names, especially in lookups?

cphair
Builder

What is the "safe" character set to use for field names, especially in lookups? By "safe" I mean "no need to quote-escape in a search." I know [a-zA-Z0-9_] works--is there anything else? Periods are sort of valid, but they can do funny things in evals. Basically I'm looking for a secondary separator character in addition to the underscore.

The only official Splunk doc I could find on the topic was the indexed field extraction doc (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), but I don't need to define these at index time or in the conf files.

Labels (1)
0 Karma
1 Solution

skalliger
Motivator

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

View solution in original post

0 Karma

twjack
Explorer

I'm a bit desperate, I'm trying to normalize all field names and remove special characters (https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters) so that a following "foreach" doesn't throw an error. All field names should only contain valid characters.

Can anyone help me?

0 Karma

to4kawa
Ultra Champion

I think you are right. but this question is accepted and closed.
please ask another.

0 Karma

Graham_Hanningt
Builder

Not an answer, and setting aside your understandable "no need to quote-escape" qualification: I have just been searching the Splunk docs for the set of characters allowed in field names. The documentation is inconsistent. Different topics cite different sets of characters.

From Splunk docs / Documentation / Splunk Enterprise / Getting Data In / Create custom fields at index time:

Field name syntax restrictions

You can assign field names as follows:

  • Valid characters for field names are a-z, A-Z, 0-9, or _ .

Similarly, from Splunk docs / Documentation / Splunk Cloud / Knowledge Manager Manual / Field Extractor: Select Fields step:

Field names must start with a letter and contain only letters, numbers, and underscores.

But then, Splunk docs / Documentation / Splunk Enterprise / Knowledge Manager Manual / About regular expressions with field extraction:

Proper field name syntax
Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.

adds the period (.) and colon (:).

skalliger
Motivator

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

0 Karma

andygerberkp
Explorer

This is incorrect; the text above is from an SPL2 page, not an SPL page.  The correct info is this:

Proper field name syntax

Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
  • Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.

which can be found here:

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutregularexpressionswithfieldextrac...

0 Karma

cphair
Builder

I was afraid of that. Would be nice if there were a second separator-like character, but I'll make do. Thank you for confirming.

0 Karma

niketn
Legend

@cphair you can refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutregularexpressionswithfieldextrac...

Also you can try creating a Field Extraction using Interactive Field Extractor where you will get Field names must start with a letter and contain only letters, numbers, and underscores. warning in case you provide invalid field name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...