Splunk Search

Searching strings with accented characters

LordLeet
Path Finder

Hello,

I'm having an issue when trying to filter events based on accented characters.

For instance if I look at the ingested events, index=my_index sourcetype=my_source , I will be able to see the events that have the field value I'm looking for:

... asset_name ...
... D. João ...

If I try to filter the events at search time index=my_index sourcetype=my_source asset_name="D. João" , the "No results found." message is displayed, the same applies if I select the desired field value from the field's list on the left.

How can I get this to work?

I've looked for similar questions here on the Splunk Answers forum but it mainly points for the sourcetype encoding, which I think might not be the issue, since the events seem to be properly encoded.

Thanks in advance!

0 Karma

ddrillic
Ultra Champion

-- since the events seem to be properly encoded...

What is the encoding?

A similar thread at - How do I search for accented characters?

0 Karma

LordLeet
Path Finder

Hello ddrillic,

It's set to default.

From my previous research on other threads here on the forum, my understanding was that if the characters are show properly the encoding selected by Splunk would be correct.

If this is not the case I might need to manually select the correct one. Would changing the current encoding affect already ingested data or only the data ingested from now on?

Thanks

0 Karma

CarsonZa
Contributor

try something to the affect of |regex ã

0 Karma

LordLeet
Path Finder

Hello CarzonZa,

It works if I use the ´| regex ´ command, is this the only way to retrieve the filtered data?

I'm worried about this, since I tried to use the ´like()´ function and it didn't calculate properly.

´index="index_name" source="source_name"
| regex field_name="Carvão"
| eval x=if(like(field_name,"%ã%"),1,0)
| stats count by x´

It only counts x=0

Thanks

0 Karma

CarsonZa
Contributor

create a capture group like so

| rex field=_raw "\s(?<name>.*)" 
| eval x=if(like(name,"%ã%"),1,0) 
| stats count by name
0 Karma

LordLeet
Path Finder

Hello CarsonZa,

That works, though using regex would not be the final solution I would like to implement since the majority of the users that perform searches do not possess the required knowledge.

I might have to assess the encoding to prevent this from happening.

Thanks

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...