Splunk Search

How to extract values where the field name has multiple spaces?

Explorer

Hello,

I'm trying to figure out a way to extract values where the field has multiple spaces in it.

When I do a simple search and click on the field on the left (so it's populated by Splunk automatically) :

source="WinEventLog:Security"  | top limit=20 "Nom du compte "

Everything works fine. But as soon as I try to do a more complex search with eval or most of other commands my search doesn't bring up any results because it considers it as a different field. I tried changing to simple quote, removing the last space etc...

Problem is I can't even use rename to try to add underscore in between words.

Anyone has an idea bout this ?

0 Karma

Path Finder

Old post but I ran into the same problem.

The trailing "space" character actually ended up being ASCII 160/non-breaking space.

At first I couldn't quite see that when I tried exporting raw or CSV or copying from anywhere it is displayed on screen.. but you can get at it if you click on one of the results fields and have Splunk add to search. Once it is in there you can copy/paste it, but now that you know you can enter it with ALT+0160.

Explorer

Octal 160 ...

This would appear to stem from a peculiarly French punctuation rule where there is a set of punctuation marks, such as the colon, that WILL get a preceding NBSP. And, as far as I can tell, NBSP is NOT in the set of characters that make up the \s in a regex, hence it appears as the last character of the field name. Does it hurt yet?

The rule only applies to Continental French, not Canadian French ... and MS are honoring this rule in the Windows Event logs.

Explorer

The space doesn't change anything I also tried single quote with/without space and I get the same results. It's the same behavior if I use eval or any other.

0 Karma

SplunkTrust
SplunkTrust

Your rename doesn't have a space after "compte ".

0 Karma

Explorer

It works like this. But it seems more like a bug because the command above with"top" works fine but this one won't even generate de field Nomducompte :

source="WinEventLog:Security" | rename "Nom du compte" as Nomducompte | eval type_event=coalesce(TaskCategory,CategoryString) | eval description=coalesce(Keywords,Type) | replace "Success Audit" with "Succès de l’audit", "Audit Success" with "Succès de l’audit", "Audit Failure" with "Échec de l’audit", "Failure Audit" with "Échec de l’audit" in description | search description="Échec de l’audit"

0 Karma

SplunkTrust
SplunkTrust

In eval you need to enclose non-alphanumeric identifiers, ie ones containing spaces or dots or other nonsense, in single quotes:

source="WinEventLog:Security" | eval foo = 'Nom du compte '

Alternatively, define a field alias or your own regex-based extraction that assigns a reasonable name from the get-go.

0 Karma

Explorer

Yes regex would be the solution but that field 'Nom du compte ' appears twice in the log sent by Windows. I'm not good enough to write the regex and the erex command isn't working too well to find that second field.

0 Karma

SplunkTrust
SplunkTrust

Does renaming like doesn't work for you? (runanywhere sample query)

|gentimes start=-1 | eval "Nom du compte "=20 | table "Nom du compte " | rename "Nom du compte " as test

0 Karma