Splunk breaks saved search report if the field value contains a colon. My source record is below.
[2015-07-29 12:43:53,782 user: ataeva | userAsIsCase: AtaevA | action: approved | name: ia_promotions | id: 1370545662068 | assettype: SECArticle | target: 1370539530396 | division_office: OIEA | assetlink: http://wcm.sec.gov/servlet/ContentServer?id=1370545662068&AssetType=SECArticle&cs_environment=standa... | title: Investor Alert: Fraudulent Stock Promotions | Status: Approved | url: http://www.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stageurl: http://wcm.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stagehost: wcm.sec.gov | deliveryhost: www.sec.gov | path: oiea/investor-alerts-bulletins/ia_promotions.html
Take a look at the
title: field value. It has colon after
Investor-Alert: How to fix this? Do I need to escape it and how?
You can fix this one of 2 ways: you can have the person who creates these events encapsulate the
title value inside double quotes so that it shows up as
... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like
| extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:
[mySourceType] REPORT-search_time_extractions = my_KPVs
[my_KVPs] FORMAT = $1::$2 MV_ADD = 1 REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$) SOURCE_KEY = message
Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.
Since the data set isn’t large, planing on regular expression to redefine field title. Insert
| rex field=_raw "|\s+title:\s+(?
You can add a
props entry and a
transforms entry from the GUI without full
admin privileges depending on how your
roles are setup. As far as extracting your Title, you can do this:
| rex field=_raw "\|\s+title:\s+(?<Title>[^\|]*)(?:\s+\||$)"