Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to prevent a space character from delimiting and truncating my filename field?

jravida
Communicator
‎08-24-2015 01:43 PM

Hi folks,

I have some new logs coming in, and I took a look at the fieldname that has a Windows filename in it, and it is being truncated after the space character (if there happens to be one).

The events are coming in via DB Connect, multiline, and I can see the whole filename in the _raw event:

event_guid=ABDC1234-EE33-43F3-ABCDEF
file_size=3432342
source_file=//home.local/home/caddev/usernameish/temp deck overview.pptx
target_path=

So the event is indexing fine, but when I search, and Splunk does it's generic field extraction, the source_file field turns into:

source_file=//home.local/home/caddev/usernameish/temp

Is there a quick way to fix this?

0 Karma
Reply

somesoni2
Revered Legend
‎08-25-2015 11:57 AM

The raw file is multiline events OR everything is coming in single line? Does the file name always contain extension of the file??

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-24-2015 01:56 PM

you need to build the extraction for that. A quick way is to use the extract fields in the event actions.
Check these splunk docs:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/ExtractfieldsinteractivelywithIFX

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

jravida
Communicator
‎08-25-2015 09:37 AM

The extract fields utility is broken in my install. I'll have to investigate further, but for now it is erroring out.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...