Splunk Search

How to use fields containing semicolons (:) in search command functions?

pkurt
Path Finder

Hello,

I am trying to use a variable from my data which has columns as in this example:

ep_9:sMeterS:SummationDeliveredL_x10k

Splunk can make simple searches with this variable as in this example:

sourcetype=Splunkish index=sandbox  id=VR00ZN000010188 ep_9:sMeterS:SummationDeliveredL_x10k

But when you want to use this variable in a function, Splunk does not let you do it. Keeping the :s seems to be confusing for Splunk. When Splunk creates the fields for this variable, it shortens it to "SummationDeliveredL_x10k" automatically so that one can use it in the function as below.

sourcetype=Splunkish index=sandbox  id=VR00ZN000010188 | timechart avg(SummationDeliveredL_x10k)

Do we know the reason for this? For my work I have to do some hard-coding to get the outputNames as inputNames, and I do not like to do this hard-coding.

Please let me know if you know a way to handle this situation.

Many thanks in advance!

ps: the data source type is the one recommended by Splunk, as in this example:

2016-01-14T22:55:07Z, event_type=datapoint, model=SPE600, id="VR00ZN000010188", ep_9:sMeterS:DemandDelivered_x10k=0

Richfez
SplunkTrust
SplunkTrust

Hopefully this will get you started.

This may be adjusted overall for this data source by the segmentation type. I think what you want to do is turn off the colon from being a MINOR segmenter character at least at search time on this sourcetype using segmenters.conf. You may be able to change the segementation type (which can be done from the GUI as per this article on setting the search time event segmentation by the web)

I'm no expert in this, but I think fiddling with the search time segmentation type may get you the results you want.

0 Karma

pkurt
Path Finder

Thank you so much for your advice!

I think I tried what you suggested. I removed ":" from the MINOR segmenters in segmenters.conf. When that did not work I also removed it from the MAJOR segmenters in all lines. It still did not work, even when I restarted splunk. The extracted field name in the Splunk GUI still ignores the part before the ":".

I am not sure what else to try. If you have any other ideas I would love to hear.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...