Report results to event summary index, why value w...

JykkeDaMan · ‎10-05-2022

Isn't hyphen a minor breaker so I'm wondering why the values with hyphen get double quoted when doing summary indexing? This breaks the tstats TERM and PREFIX usage.

Assume I have the following datas:

_time	field1	field2
2022-10-05 22:22:22	what-not	whatnot

Will end up into summary event index with:

10/05/2022 22:22:22, field="what-not", field=whatnot

What I have missed when populating my summary index?-)

ITWhisperer · ‎10-06-2022

You need to add the collect_ignore_minor_breakers=true statement to the [collect] stanza in your limits.conf

https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Collect?ref=hk#The_collect_and_ts...

JykkeDaMan · ‎10-06-2022

But is this only 9.x feature, since I cannot find it from 8.x. I'm still running 8.1.2.

gcusello · ‎10-06-2022

Hi @JykkeDaMan,

hyphen is usually intepretated by Splunk as the sign of the subtraction, so if you want to use it in a field name, you have to use quotes for that field.

For this reason it's always better to use underscore instead hyphen.

Ciao.

Giuseppe

Report results to event summary index, why value with hyphen (-) is double quoted?

tstats

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases