Splunk Search

Splunk break a saved search report if a field value contains a colon. Do I need to escape the colon and how?

sunbol
New Member

Splunk breaks saved search report if the field value contains a colon. My source record is below.

[2015-07-29 12:43:53,782  user: ataeva | userAsIsCase: AtaevA | action: approved | name: ia_promotions | id: 1370545662068 | assettype: SECArticle | target: 1370539530396 | division_office: OIEA | assetlink: http://wcm.sec.gov/servlet/ContentServer?id=1370545662068&AssetType=SECArticle&cs_environment=standa... | title: Investor Alert:  Fraudulent Stock Promotions |  Status: Approved | url: http://www.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stageurl: http://wcm.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stagehost: wcm.sec.gov | deliveryhost: www.sec.gov | path: oiea/investor-alerts-bulletins/ia_promotions.html

Take a look at the title: field value. It has colon after Investor-Alert: How to fix this? Do I need to escape it and how?

0 Karma
1 Solution

woodcock
Esteemed Legend

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message

View solution in original post

0 Karma

woodcock
Esteemed Legend

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message
0 Karma

sunbol
New Member

Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.

Since the data set isn’t large, planing on regular expression to redefine field title. Insert

| rex field=_raw "|\s+title:\s+(?

0 Karma

woodcock
Esteemed Legend

You can add a props entry and a transforms entry from the GUI without full admin privileges depending on how your roles are setup. As far as extracting your Title, you can do this:

| rex field=_raw "\|\s+title:\s+(?<Title>[^\|]*)(?:\s+\||$)"
0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...