Splunk Search

How to extract values where the field name has multiple spaces?

gnoellbn
Explorer

Hello,

I'm trying to figure out a way to extract values where the field has multiple spaces in it.

When I do a simple search and click on the field on the left (so it's populated by Splunk automatically) :

source="WinEventLog:Security"  | top limit=20 "Nom du compte "

Everything works fine. But as soon as I try to do a more complex search with eval or most of other commands my search doesn't bring up any results because it considers it as a different field. I tried changing to simple quote, removing the last space etc...

Problem is I can't even use rename to try to add underscore in between words.

Anyone has an idea bout this ?

0 Karma

smeier
Path Finder

Old post but I ran into the same problem.

The trailing "space" character actually ended up being ASCII 160/non-breaking space.

At first I couldn't quite see that when I tried exporting raw or CSV or copying from anywhere it is displayed on screen.. but you can get at it if you click on one of the results fields and have Splunk add to search. Once it is in there you can copy/paste it, but now that you know you can enter it with ALT+0160.

tobinbxnz
Explorer

Octal 160 ...

This would appear to stem from a peculiarly French punctuation rule where there is a set of punctuation marks, such as the colon, that WILL get a preceding NBSP. And, as far as I can tell, NBSP is NOT in the set of characters that make up the \s in a regex, hence it appears as the last character of the field name. Does it hurt yet?

The rule only applies to Continental French, not Canadian French ... and MS are honoring this rule in the Windows Event logs.

gnoellbn
Explorer

The space doesn't change anything I also tried single quote with/without space and I get the same results. It's the same behavior if I use eval or any other.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your rename doesn't have a space after "compte ".

0 Karma

gnoellbn
Explorer

It works like this. But it seems more like a bug because the command above with"top" works fine but this one won't even generate de field Nom_du_compte :

source="WinEventLog:Security" | rename "Nom du compte" as Nom_du_compte | eval type_event=coalesce(TaskCategory,CategoryString) | eval description=coalesce(Keywords,Type) | replace "Success Audit" with "Succès de l’audit", "Audit Success" with "Succès de l’audit", "Audit Failure" with "Échec de l’audit", "Failure Audit" with "Échec de l’audit" in description | search description="Échec de l’audit"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

In eval you need to enclose non-alphanumeric identifiers, ie ones containing spaces or dots or other nonsense, in single quotes:

source="WinEventLog:Security" | eval foo = 'Nom du compte '

Alternatively, define a field alias or your own regex-based extraction that assigns a reasonable name from the get-go.

0 Karma

gnoellbn
Explorer

Yes regex would be the solution but that field 'Nom du compte ' appears twice in the log sent by Windows. I'm not good enough to write the regex and the erex command isn't working too well to find that second field.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does renaming like doesn't work for you? (runanywhere sample query)

|gentimes start=-1 | eval "Nom du compte "=20 | table "Nom du compte " | rename "Nom du compte " as test

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...