Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't Specify Fields Using Non-Standard Characters

dtaylor
Path Finder
‎01-05-2025 05:46 PM

Back again with another question. I'm still playing with my search and whle this is an issue I've managed to work around, the fact that I need to work around it without knowing the why behind it eats at me.

I have a search that pulls data from two different sourcetypes, and each of those sourcetypes have a src_mac field(the data in these fields is identical except for the letter case). To rectify the issues this causes when attempting to call the field in a search, I use eval to create two new fields with the sourcetype of each event so that the field names are now unique(in addition to fixing the letter case mismatch).

Specifically, this creates two fields named "src_mac-known_devices" and "src_mac-ise:syslog"

| eval src_mac-{sourcetype}=src_mac, src_mac=upper(src_mac)
| where upper("src_mac-*") = upper("src_mac-*")

However, in the WHERE command, I'm only able to call these two new fields when I use a wildcard. I can't actually put in | WHERE upper("src_mac-bro_known_devices") = upper("src_mac-ise:syslog")
The command just doesn't work for some reason, and I get zero hits despite *knowing* I should get plenty of hits. In other words, it works fine when I use the wildcard and not at all when I use anything else. Even attempting to do something like | where upper("src_mac-b*") = upper("src_mac-c*") doesn't work. 

I have read through the wiki articles on proper naming practices for fields, so I know my two fields contain illegal characters. I also know the : is used when trying to search indexed fields, but I thought I could use single or double quotation marks to work around that limitation or maybe using the / to escape the special characters.....but none of that has worked.

At this point, I just want to understand *why* it isn't working. Thank you for any help anyone can provide.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2025 02:15 AM

The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any matches.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2025 01:54 AM

Try not introducing an "illegal" character in the first place!

| eval src_mac_{sourcetype}=src_mac

Also, use single quotes around the field name, particularly on the right-hand side of the eval

| WHERE upper('src_mac-bro_known_devices') = upper('src_mac-ise:syslog')
0 Karma
Reply
Solved! Jump to solution

dtaylor
Path Finder
‎01-06-2025 02:06 AM

Strange, that's exactly what I tried before posting, but it still resulted in 0 hits whereas a wildcard got me the results I was looking for. For the sake of experimentation, I changed the eval to: 

| eval src_mac_{index}=src_mac

 

Making this change, there would be no illegal chacters in the field name, only a-z plus the underscore. Despite that, the search still didn't function properly. Furthermore, single quotes causes the search not to match anything regardless of whether I use a wildcard or not. It has to be double quotes.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2025 02:15 AM

The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any matches.

Reply
Solved! Jump to solution

dtaylor
Path Finder
‎01-06-2025 02:26 AM

That's it! I hadn't even considered that. Thank you so much!

 

But given Where only works one event at a time, does that mean it can't be used to compare fields in two different sourcetypes?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2025 03:07 AM

Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data is represented in your events, there could be a number of ways to do this.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...