Splunk Search

Splunk break a saved search report if a field value contains a colon. Do I need to escape the colon and how?

sunbol
New Member

Splunk breaks saved search report if the field value contains a colon. My source record is below.

[2015-07-29 12:43:53,782  user: ataeva | userAsIsCase: AtaevA | action: approved | name: ia_promotions | id: 1370545662068 | assettype: SECArticle | target: 1370539530396 | division_office: OIEA | assetlink: http://wcm.sec.gov/servlet/ContentServer?id=1370545662068&AssetType=SECArticle&cs_environment=standa... | title: Investor Alert:  Fraudulent Stock Promotions |  Status: Approved | url: http://www.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stageurl: http://wcm.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stagehost: wcm.sec.gov | deliveryhost: www.sec.gov | path: oiea/investor-alerts-bulletins/ia_promotions.html

Take a look at the title: field value. It has colon after Investor-Alert: How to fix this? Do I need to escape it and how?

0 Karma
1 Solution

woodcock
Esteemed Legend

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message

View solution in original post

0 Karma

woodcock
Esteemed Legend

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message
0 Karma

sunbol
New Member

Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.

Since the data set isn’t large, planing on regular expression to redefine field title. Insert

| rex field=_raw "|\s+title:\s+(?

0 Karma

woodcock
Esteemed Legend

You can add a props entry and a transforms entry from the GUI without full admin privileges depending on how your roles are setup. As far as extracting your Title, you can do this:

| rex field=_raw "\|\s+title:\s+(?<Title>[^\|]*)(?:\s+\||$)"
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...