Splunk Search

I want to index fieldName which contains square brackets

pallavikarpaklu
Explorer

Hi,

I want to index a fieldName which contains square brackets

Below is the key-value pair format I have and  splunk is not indexing keys value which consists []
eg: root[60]_level[5]=value

Any suggestions?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Square brackets are not allowed in field names.  If Splunk encounters such a field name, it will convert the unacceptable characters into underscores.

---
If this reply helps you, Karma would be appreciated.

pallavikarpaklu
Explorer

Thanks for the response.

But as I mentioned earlier  splunk is logging as root[60]_level[5]=value
[] are not converted to underscores.

Do I need to do any property changes for that ?

Suppose the conversion is done and my key is replaced with  double underscores like below "root_60__level_5_=value"
Does splunk honurs double underscore and still index the key "root_60__level_5_"?



Nisha18789
Builder

Hi @pallavikarpaklu , could you please give example of what is the actual key-value pair in log and what Splunk is indexing ?

 

 

0 Karma

pallavikarpaklu
Explorer


Sure. Below is the sample logger with two keys  "root[60]_level[5]" and "root_string".

2020-10-07 17:50:04,208 - INFO - root[60]_level[5]=value, root_string=value

root_string - This key is indexed

root[60]_level[5] - This key is not indexed.

I am open to try any kind of  key transformations but I want the key to be indexed. Please suggest.

0 Karma

Nisha18789
Builder

hi @pallavikarpaklu , could you please also provide the current props.conf/transforms.conf stanza you are using for indexing this data.

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...