Splunk Search

How can I extract a field with a '.' (period character)?

throstur
Engager

It seems that there is no way to extract fields with a '.' in the name.

I'm trying to use field extractors on our older data to create fields matching the newer data json fields.

{ "pirate": { "say ": "Shiver me timbers" } } 
pirate.say = "Shiver me timbers"

To test this you can to do is something like this:

| metadata type=hosts index=_internal 
| head 1
| eval message="Shiver me timbers, goes the pirate"
| table message
| rex field=message "(?<pirate.say>[^,]+)"

But all I get for my efforts is the same error message in both the 'rex' prototype described above and 'Field extractions' page.

From the 'rex' prototype I get:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<pirate.say>[^,]+)': Regex: syntax error in subpattern name (missing terminator)

From the 'Fields » Field extractions » Add new' I get:

Encountered the following error while trying to save: Regex: syntax error in subpattern name (missing terminator)

So any thoughts on how I can solve this one?

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

PCRE regular expressions do not permit a period in capture group names by the definition of the names. If you want to separate the words, you must use an underscore. Therefore you could use pirate_say, but not pirate.say or even pirate-say. You may only use A-Z, a-z, 0-9 and _ in capture group names.

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

PCRE regular expressions do not permit a period in capture group names by the definition of the names. If you want to separate the words, you must use an underscore. Therefore you could use pirate_say, but not pirate.say or even pirate-say. You may only use A-Z, a-z, 0-9 and _ in capture group names.

throstur
Engager

Yes, I suspected as much.

Was hoping that there was a workaround for Splunk as they support field names with other characters.

The workaround I'm currently using is renaming pirate_say to pirate.say if pirate.say does not already exists.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi throstur,
beware that the search command

| rex field=message "(?<pirate_say>[^,]+)"

when is in a dashboard must be traslated in

| rex field=message "(?<pirate_say>[^,]+)"

you missed ; in &lt and &gt
Bye.
Giuseppe

throstur
Engager

Thanks. 😄

0 Karma

throstur
Engager

Fixed it now

0 Karma

gcusello
SplunkTrust
SplunkTrust

if this solution answers to your question, please accept ot upvote it.
Bye.
Giuseppe

0 Karma

throstur
Engager

No this does'nt answer my question at all.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...