Splunk Search

How do you run Splunk query for Field with brackets?

ratan2257
New Member

It might be a very simple answer, however I am not able to find it so far .

My splunk query has a field name "Size(MB)" . I can not get around with escape character, eval or Rex to run the query with this type of field .

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d **avg(Size(MB))** by DBname
0 Karma

lakromani
Builder

If your data is in for of like this:

bla bla Size(128)

Then you can extract it using regex like this:

index=dbx ServerName="bestserver" sourcetype=stats | rex "Size\((?<Size>[^\)]+)" | timechart span=1d avg(Size) by DBname
0 Karma

lakromani
Builder

For me this works: avg("Size(MB)")

You can try to rename the field like this:

your search | rename "Size(MB)" AS Size | timechart span=1d avg(Size) by DBname

PS You do have a space after span in you example. This does not work. Correct is span=1d not span =1d

0 Karma

ratan2257
New Member

It is not about the data , its Field name it self with brackets () .

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ratan2257

You just need double quotes around the name.

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d avg("Size(MB)") by DBname

Thanks

0 Karma

ratan2257
New Member

Unfortunately that didn't worked.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ratan2257
Is it possible to share the sample event or screenshot of this field and value?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...