- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the "safe" character set to use for field names, especially in lookups? By "safe" I mean "no need to quote-escape in a search." I know [a-zA-Z0-9_] works--is there anything else? Periods are sort of valid, but they can do funny things in evals. Basically I'm looking for a secondary separator character in addition to the underscore.
The only official Splunk doc I could find on the topic was the indexed field extraction doc (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), but I don't need to define these at index time or in the conf files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![skalliger skalliger](https://community.splunk.com/legacyfs/online/avatars/456299.jpg)
Field names are field names. So use the mentioned characters only.
Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a bit desperate, I'm trying to normalize all field names and remove special characters (https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters) so that a following "foreach" doesn't throw an error. All field names should only contain valid characters.
Can anyone help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you are right. but this question is accepted and closed.
please ask another.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Graham_Hanningt Graham_Hanningt](https://community.splunk.com/legacyfs/online/avatars/349281.jpg)
Not an answer, and setting aside your understandable "no need to quote-escape" qualification: I have just been searching the Splunk docs for the set of characters allowed in field names. The documentation is inconsistent. Different topics cite different sets of characters.
From Splunk docs / Documentation / Splunk Enterprise / Getting Data In / Create custom fields at index time:
Field name syntax restrictions
You can assign field names as follows:
- Valid characters for field names are a-z, A-Z, 0-9, or _ .
Similarly, from Splunk docs / Documentation / Splunk Cloud / Knowledge Manager Manual / Field Extractor: Select Fields step:
Field names must start with a letter and contain only letters, numbers, and underscores.
But then, Splunk docs / Documentation / Splunk Enterprise / Knowledge Manager Manual / About regular expressions with field extraction:
Proper field name syntax
Field names must conform to the field name syntax rules.
- Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
adds the period (.) and colon (:).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![skalliger skalliger](https://community.splunk.com/legacyfs/online/avatars/456299.jpg)
Field names are field names. So use the mentioned characters only.
Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![andygerberkp andygerberkp](https://community.splunk.com/legacyfs/online/avatars/535303.jpg)
This is incorrect; the text above is from an SPL2 page, not an SPL page. The correct info is this:
Proper field name syntax
Field names must conform to the field name syntax rules.
- Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.
- Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.
which can be found here:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was afraid of that. Would be nice if there were a second separator-like character, but I'll make do. Thank you for confirming.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![niketn niketn](https://community.splunk.com/legacyfs/online/avatars/299862.jpg)
@cphair you can refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutregularexpressionswithfieldextrac...
Also you can try creating a Field Extraction using Interactive Field Extractor
where you will get Field names must start with a letter and contain only letters, numbers, and underscores.
warning in case you provide invalid field name.
| makeresults | eval message= "Happy Splunking!!!"
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)