Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Automatic field extraction syntax: quoting, escaping quotes

larrywest
Explorer
‎04-06-2017 02:25 PM

(Note that this entire post is about text being written to logs that Splunk scans, not about queries or query syntax.)

I would like to know what syntax (regex?) Splunk uses for its automatic field extraction.

The obvious rule is that if the field has embedded spaces or certain other characters, it has to be quoted, with double quotes (never single quotes/apostrophes; I haven't tried UNICODE puncuation very much).

For example, I've learned that a "|" terminates a field as far as Splunk auto-extraction is concern, and so any field with a "|" must be quoted.

Is there a list of such rules, a regular expression, or code available to inspect?

Here's a practical example: the 'weak' form of the HTTP ETags (or If-None-Match) header look like this:

  Etag: W/"some-identifying-text"

Now if I want to log that, I need to be careful not to quote it, because then Splunk will see all these values as having the value "W/".

Or, I've found -- by trial and error -- that I can escape quotes by doubling them. E.g.,



  Etag: "W/""some-identifying-text"

But it would be far far easier to know rather than guess the syntax rules. Can someone point me towards them?

Also, it would be good to know which of the UNICODE quoting characters Splunk inteprets as such -- e.g., it should probably handle the "Ps", "Pe", "Pi", and "Pf" categories as described in http://www.unicode.org/versions/Unicode9.0.0/ch04.pdf, but does it? If not, what characters does it consider to be quoting characters, other than ASCII double-quote (")?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-07-2017 09:50 AM

For how Splunk breaks up streams of "stuff" you'll want to refer to segmenters.conf

Here's a link to the configuration file for segmenters.conf. You may also fine it useful to read more explanation about segmentation and segmentation types. Those two links should give you what you need - a list of which characters do what things by default when Splunk breaks up events into fields and segments.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...