Splunk Search

Strptime bug with fields with spaces or periods

jlucas4
Explorer

I came across this bug today when using strptime. Strptime does not work on field names that have spaces or periods.
For example,
epochtime=strptime(first_discovered, "%b %e, %Y %H:%M:%S %Z") works

but

epochtime=strptime(first.discovered, "%b %e, %Y %H:%M:%S %Z")
and
epochtime=strptime("first discovered", "%b %e, %Y %H:%M:%S %Z")

do not work.
Is there a place to fill out a bug report?

0 Karma
1 Solution

woodcock
Esteemed Legend

It is not a bug; use single-quotes, like this:

epochtime=strptime('first discovered', "%b %e, %Y %H:%M:%S %Z")

This is for field names in other places, too. Sometimes you need double-quotes, other times single-quotes, depending on where/how the field name is used. Whitespace in field names is EVIL. ONLY do so on the VERY last line of your SPL with | rename benevolentFieldName AS "Evil FIeld Name"

View solution in original post

techiesid
SplunkTrust
SplunkTrust

Hi @jlucas4 ,

If you see the splunk documentation for eval command , that would probably answer your question. I am pasting those line below,

  1. If the expression references a field name that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by single quotation marks. For example, if the field name is server-1 you specify the field name like this new=count+'server-1'.

  2. If the expression references a literal string, that string needs to be surrounded by double quotation marks. For example, if the string you want to use is server- you specify the string like this new="server-".host.

https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Eval

Hope this helps.

Sid

woodcock
Esteemed Legend

It is not a bug; use single-quotes, like this:

epochtime=strptime('first discovered', "%b %e, %Y %H:%M:%S %Z")

This is for field names in other places, too. Sometimes you need double-quotes, other times single-quotes, depending on where/how the field name is used. Whitespace in field names is EVIL. ONLY do so on the VERY last line of your SPL with | rename benevolentFieldName AS "Evil FIeld Name"

jlucas4
Explorer

I completely agree, spaces are evil. Unfortunately, we were monitoring a csv with whitespaces in the field names. Now, we are going to use SEDCMD-replacespace in props.conf so we don't run into that issue anymore.

Do you know what is the reasoning behind not allowing double-quotes in this instance?

woodcock
Esteemed Legend

The use of double-quotes both in Splunk and most other languages is generally an indication of a object type of string literal. The fact that sometimes it is used otherwise is unfortunate. In splunk, you can always use $ to indicate this is a field name but I generally do not propose this because eventually most searches end up inside of dashboards/macro/foreach/map and then those searches break. So the general approach should be:
0: DO NOT use spaces in field names but, if you absolutely must:
1: Make sure it works in SPL with $fiend name$.
2: Try 'fiend name' and if that works, done; otherwise
3: Try "fiend name".

to4kawa
Ultra Champion
| makeresults 
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash_dash=strptime($field.sample$, "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash_dash=strptime($field sample$, "%b %e, %Y %H:%M:%S %Z")

This works, awesome

to4kawa
Ultra Champion
| makeresults 
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")

Interestingly, the field in the case of function arguments needs to be enclosed in single quotes.

Get Updates on the Splunk Community!

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...