Splunk Search
Highlighted

How do you run Splunk query for Field with brackets?

New Member

It might be a very simple answer, however I am not able to find it so far .

My splunk query has a field name "Size(MB)" . I can not get around with escape character, eval or Rex to run the query with this type of field .

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d **avg(Size(MB))** by DBname
0 Karma
Highlighted

Re: How do you run Splunk query for Field with brackets?

SplunkTrust
SplunkTrust

@ratan2257

You just need double quotes around the name.

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d avg("Size(MB)") by DBname

Thanks

0 Karma
Highlighted

Re: How do you run Splunk query for Field with brackets?

New Member

Unfortunately that didn't worked.

0 Karma
Highlighted

Re: How do you run Splunk query for Field with brackets?

SplunkTrust
SplunkTrust

@ratan2257
Is it possible to share the sample event or screenshot of this field and value?

0 Karma
Highlighted

Re: How do you run Splunk query for Field with brackets?

Builder

If your data is in for of like this:

bla bla Size(128)

Then you can extract it using regex like this:

index=dbx ServerName="bestserver" sourcetype=stats | rex "Size\((?<Size>[^\)]+)" | timechart span=1d avg(Size) by DBname
0 Karma
Highlighted

Re: How do you run Splunk query for Field with brackets?

New Member

It is not about the data , its Field name it self with brackets () .

0 Karma
Highlighted

Re: How do you run Splunk query for Field with brackets?

Builder

For me this works: avg("Size(MB)")

You can try to rename the field like this:

your search | rename "Size(MB)" AS Size | timechart span=1d avg(Size) by DBname

PS You do have a space after span in you example. This does not work. Correct is span=1d not span =1d

0 Karma