I want to index fieldName which contains square br...

pallavikarpaklu · ‎10-06-2020

Hi,

I want to index a fieldName which contains square brackets

Below is the key-value pair format I have and splunk is not indexing keys value which consists []
eg: root[60]_level[5]=value

Any suggestions?

richgalloway · ‎10-06-2020

Square brackets are not allowed in field names. If Splunk encounters such a field name, it will convert the unacceptable characters into underscores.

---
If this reply helps you, Karma would be appreciated.

pallavikarpaklu · ‎10-06-2020

Thanks for the response.

But as I mentioned earlier splunk is logging as root[60]_level[5]=value
[] are not converted to underscores.

Do I need to do any property changes for that ?

Suppose the conversion is done and my key is replaced with double underscores like below "root_60__level_5_=value"
Does splunk honurs double underscore and still index the key "root_60__level_5_"?

Nisha18789 · ‎10-07-2020

Hi @pallavikarpaklu , could you please give example of what is the actual key-value pair in log and what Splunk is indexing ?

pallavikarpaklu · ‎10-07-2020

Sure. Below is the sample logger with two keys "root[60]_level[5]" and "root_string".

2020-10-07 17:50:04,208 - INFO - root[60]_level[5]=value, root_string=value

root_string - This key is indexed

root[60]_level[5] - This key is not indexed.

I am open to try any kind of key transformations but I want the key to be indexed. Please suggest.

Nisha18789 · ‎10-08-2020

hi @pallavikarpaklu , could you please also provide the current props.conf/transforms.conf stanza you are using for indexing this data.

I want to index fieldName which contains square brackets

field extraction

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)