Solved: Is there a list of unusable field names?

krisreeves · ‎05-15-2018

Note: The question is not "how do I search for a field with the name of tag", but "what other field name(s) behave like this"?

We recently ran into this case:

A user logged a message that included the text tag="some stuff"
User tried to search by that field, but gets an error like unable to find tag "some stuff"

tag appears to be a reserved word, but I was unable to find a list of any other cases like this. It's unfortunate that the tags functionality (which isn't in use) uses the same syntax as field matching here.

We'd like to add some code to warn on this kind of case, is there a list of all such keywords which, when searching keyword=foo, would not actually match the field name keyword?

HiroshiSatoh · ‎05-16-2018

You can search by escaping the double quotation.

index=XXX "tag=\"some stuff\""

The following are used in the basic search part.
※If there is a shortage, please someone supplement.

Internal fields
_raw, _time, _indextime, _cd

Basic default fields
host, index, linecount, punct, source, sourcetype, splunk_server, timestamp

Default datetime fields
date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone

etc
tag,eventtype,earliest,latest

View solution in original post

krisreeves · ‎05-17-2018

So far, beyond the default fields listed here: https://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Aboutdefaultfields

There is tag and eventtype

niketn · ‎05-16-2018

@krisreeves for the data that you have ingested seems like there is tag (and possibly eventtype) created.
You would need to create a Field Extraction to name the field something other than tag like Tag with uppercase T.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

HiroshiSatoh · ‎05-16-2018

You can search by escaping the double quotation.

index=XXX "tag=\"some stuff\""

The following are used in the basic search part.
※If there is a shortage, please someone supplement.

Internal fields
_raw, _time, _indextime, _cd

Basic default fields
host, index, linecount, punct, source, sourcetype, splunk_server, timestamp

Default datetime fields
date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone

etc
tag,eventtype,earliest,latest

krisreeves · ‎05-16-2018

This is good to know! My question is, however, different: I'm looking to know which, if any, other field names behave like this so that we can avoid using them entirely

HiroshiSatoh · ‎05-18-2018

The following are used in the basic search part.
※If there is a shortage, please someone supplement.

Internal fields
_raw, _time, _indextime, _cd

Basic default fields
host, index, linecount, punct, source, sourcetype, splunk_server, timestamp

Default datetime fields
date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone

etc
tag,eventtype,earliest,latest

krisreeves · ‎05-18-2018

Ah, of course -- I should have thought about earliest and latest 🙂 If you could edit this into your answer I'd like to accept this as the answer?

Is there a list of unusable field names?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...