Splunk Search

Does full key value not extract properly if it starts with a number?

msmapper
Path Finder

I have created a new log message that looks like

2018-06-27 11:28:01,743 WARN TestReporting , id="LJ99YUT5F1K", trans_timestamp="6/27/18 3:42 AM", 3d_secure_data="", arn="", purchase_amount="57.80", currency="USD"

All of my Key-value pairs do auto-extract but the one named 3d_secure_data does not seem to extract the full name. When you look at the Interesting Fields, the key is actually named d_secure_data, the 3 is being dropped off somehow. See screenshot

alt text

Is this a known key naming convention where keys can only start with alpha char or is this an issue with auto-extraction? I am using Splunk Enterprise 6.6.3.

I can work around the issue by remaining the key and spelling out the word three, Ijust want to know if this a known configuration setup or a bug.

Regards
Jen

0 Karma
1 Solution

ddrillic
Ultra Champion
0 Karma

ddrillic
Ultra Champion
0 Karma

msmapper
Path Finder

Thanks ddrillic! Not sure how I missed that in the documentation after all these years.

0 Karma

ddrillic
Ultra Champion

Sure thing - I wasn't sure either ; -)

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!