Splunk Search

Do you have a plan to support multi character for field extractor

gimapei
New Member

Hi my Name is JaeHyun, Cho
I lives in korea.

my question is why splunk not allow multi charactor fields?

some clients complained about that!

they want to use a Multi charator fields likes "782222-INP"

do you have a plan ????

sorry about my pure english

thank you

0 Karma
1 Solution

somesoni2
Revered Legend

Splunk doesn't support special characters other than underscore ("_") in the field names. You can replace your hypher ("-") with that. Other than that the format your specify does work. See this run-anywhere example.

|stats count | eval message="This is field Extraction Test" | table message | rex field=message "^(?<782222_INP>[^\s]+)" | rex field=message "^([^\s]+\s){1}(?<78222dfd____2_INP>[^\s]+)" | rex field=message "^([^\s]+\s){2}(?<INP_782222_>[^\s]+)"| rex field=message "^([^\s]+\s){3}(?<12_782222_INP>[^\s]+)" | rex field=message "^([^\s]+\s){4}(?<AbCd_782222_INP>[^\s]+)"

View solution in original post

0 Karma

somesoni2
Revered Legend

Splunk doesn't support special characters other than underscore ("_") in the field names. You can replace your hypher ("-") with that. Other than that the format your specify does work. See this run-anywhere example.

|stats count | eval message="This is field Extraction Test" | table message | rex field=message "^(?<782222_INP>[^\s]+)" | rex field=message "^([^\s]+\s){1}(?<78222dfd____2_INP>[^\s]+)" | rex field=message "^([^\s]+\s){2}(?<INP_782222_>[^\s]+)"| rex field=message "^([^\s]+\s){3}(?<12_782222_INP>[^\s]+)" | rex field=message "^([^\s]+\s){4}(?<AbCd_782222_INP>[^\s]+)"
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...