- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How does punct work?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NOTE: I figured that a lot of people will search "How does punct work?" and want to know. So if you were wondering: Punct info about half way down is a basic explanation.
ACTUAL QUESTION:This questions is not as easy as the title sounds. I know exactly WHAT punct does my question is where does it do it? I want to make a similar field but I cannot find the punct field extraction in manager->fields. Does anyone know how to look at this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
punct is called both an "internal" field and a "default" field. Like many other default fields, it is computed at parsing time and stored in the index. This is very different than search-time fields.
I agree with Luke; I think this is done in code as part of the parsing process. But perhaps a more knowledgeable person will chime in.
Documentation here: Use default fields
I couldn't find anything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
punct is called both an "internal" field and a "default" field. Like many other default fields, it is computed at parsing time and stored in the index. This is very different than search-time fields.
I agree with Luke; I think this is done in code as part of the parsing process. But perhaps a more knowledgeable person will chime in.
Documentation here: Use default fields
I couldn't find anything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"didn't think that it would make sense to be a binary"
I meant that I didn't remember that it would make more sense that way. lol
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cpeteman @lukejadamec, To know more about punct you may refer to my answer here. Hope this will be of your help. Thank you - Saurabh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good enough for me I knew it was a default field but didn't think that it would make sense to be a binary. Coolio.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like Splunk proprietary binary code to me.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
