Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk break a saved search report if a field value contains a colon. Do I need to escape the colon and how?

sunbol
New Member
‎08-03-2015 07:09 AM

Splunk breaks saved search report if the field value contains a colon. My source record is below.

[2015-07-29 12:43:53,782  user: ataeva | userAsIsCase: AtaevA | action: approved | name: ia_promotions | id: 1370545662068 | assettype: SECArticle | target: 1370539530396 | division_office: OIEA | assetlink: http://wcm.sec.gov/servlet/ContentServer?id=1370545662068&AssetType=SECArticle&cs_environment=standa... | title: Investor Alert:  Fraudulent Stock Promotions |  Status: Approved | url: http://www.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stageurl: http://wcm.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stagehost: wcm.sec.gov | deliveryhost: www.sec.gov | path: oiea/investor-alerts-bulletins/ia_promotions.html

Take a look at the title: field value. It has colon after Investor-Alert: How to fix this? Do I need to escape it and how?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 08:11 AM

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 08:11 AM

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message
0 Karma
Reply
Solved! Jump to solution

sunbol
New Member
‎08-03-2015 09:06 AM

Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.

Since the data set isn’t large, planing on regular expression to redefine field title. Insert

| rex field=_raw "|\s+title:\s+(?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-03-2015 09:37 AM

You can add a props entry and a transforms entry from the GUI without full admin privileges depending on how your roles are setup. As far as extracting your Title, you can do this:

| rex field=_raw "\|\s+title:\s+(?<Title>[^\|]*)(?:\s+\||$)"
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...