- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Strptime bug with fields with spaces or periods
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I came across this bug today when using strptime. Strptime does not work on field names that have spaces or periods.
For example,
epochtime=strptime(first_discovered, "%b %e, %Y %H:%M:%S %Z") works
but
epochtime=strptime(first.discovered, "%b %e, %Y %H:%M:%S %Z")
and
epochtime=strptime("first discovered", "%b %e, %Y %H:%M:%S %Z")
do not work.
Is there a place to fill out a bug report?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not a bug; use single-quotes, like this:
epochtime=strptime('first discovered', "%b %e, %Y %H:%M:%S %Z")
This is for field names in other places, too. Sometimes you need double-quotes, other times single-quotes, depending on where/how the field name is used. Whitespace in field names is EVIL. ONLY do so on the VERY last line of your SPL with | rename benevolentFieldName AS "Evil FIeld Name"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jlucas4 ,
If you see the splunk documentation for eval command , that would probably answer your question. I am pasting those line below,
If the expression references a field name that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by single quotation marks. For example, if the field name is server-1 you specify the field name like this new=count+'server-1'.
If the expression references a literal string, that string needs to be surrounded by double quotation marks. For example, if the string you want to use is server- you specify the string like this new="server-".host.
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Eval
Hope this helps.
Sid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not a bug; use single-quotes, like this:
epochtime=strptime('first discovered', "%b %e, %Y %H:%M:%S %Z")
This is for field names in other places, too. Sometimes you need double-quotes, other times single-quotes, depending on where/how the field name is used. Whitespace in field names is EVIL. ONLY do so on the VERY last line of your SPL with | rename benevolentFieldName AS "Evil FIeld Name"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I completely agree, spaces are evil. Unfortunately, we were monitoring a csv with whitespaces in the field names. Now, we are going to use SEDCMD-replacespace in props.conf so we don't run into that issue anymore.
Do you know what is the reasoning behind not allowing double-quotes in this instance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The use of double-quotes both in Splunk and most other languages is generally an indication of a object type of string literal. The fact that sometimes it is used otherwise is unfortunate. In splunk, you can always use $ to indicate this is a field name but I generally do not propose this because eventually most searches end up inside of dashboards/macro/foreach/map and then those searches break. So the general approach should be:
0: DO NOT use spaces in field names but, if you absolutely must:
1: Make sure it works in SPL with $fiend name$.
2: Try 'fiend name' and if that works, done; otherwise
3: Try "fiend name".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash_dash=strptime($field.sample$, "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash_dash=strptime($field sample$, "%b %e, %Y %H:%M:%S %Z")
This works, awesome
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")
Interestingly, the field in the case of function arguments needs to be enclosed in single quotes.
Enterprise Security Content Update (ESCU) | New Releases
There's No Place Like Chrome and the Splunk Platform
The Great Resilience Quest: 5th Leaderboard Update
