I came across this bug today when using strptime. Strptime does not work on field names that have spaces or periods.
For example,
epochtime=strptime(first_discovered, "%b %e, %Y %H:%M:%S %Z") works
but
epochtime=strptime(first.discovered, "%b %e, %Y %H:%M:%S %Z")
and
epochtime=strptime("first discovered", "%b %e, %Y %H:%M:%S %Z")
do not work.
Is there a place to fill out a bug report?
It is not a bug; use single-quotes
, like this:
epochtime=strptime('first discovered', "%b %e, %Y %H:%M:%S %Z")
This is for field names in other places, too. Sometimes you need double-quotes
, other times single-quotes
, depending on where/how the field name is used. Whitespace in field names is EVIL. ONLY do so on the VERY last line of your SPL with | rename benevolentFieldName AS "Evil FIeld Name"
Hi @jlucas4 ,
If you see the splunk documentation for eval command , that would probably answer your question. I am pasting those line below,
If the expression references a field name that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by single quotation marks. For example, if the field name is server-1 you specify the field name like this new=count+'server-1'.
If the expression references a literal string, that string needs to be surrounded by double quotation marks. For example, if the string you want to use is server- you specify the string like this new="server-".host.
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Eval
Hope this helps.
Sid
It is not a bug; use single-quotes
, like this:
epochtime=strptime('first discovered', "%b %e, %Y %H:%M:%S %Z")
This is for field names in other places, too. Sometimes you need double-quotes
, other times single-quotes
, depending on where/how the field name is used. Whitespace in field names is EVIL. ONLY do so on the VERY last line of your SPL with | rename benevolentFieldName AS "Evil FIeld Name"
I completely agree, spaces are evil. Unfortunately, we were monitoring a csv with whitespaces in the field names. Now, we are going to use SEDCMD-replacespace in props.conf so we don't run into that issue anymore.
Do you know what is the reasoning behind not allowing double-quotes in this instance?
The use of double-quotes
both in Splunk and most other languages is generally an indication of a object type
of string literal
. The fact that sometimes it is used otherwise is unfortunate. In splunk, you can always use $
to indicate this is a field name
but I generally do not propose this because eventually most searches end up inside of dashboards/macro/foreach/map and then those searches break. So the general approach should be:
0: DO NOT use spaces in field names but, if you absolutely must:
1: Make sure it works in SPL with $fiend name$
.
2: Try 'fiend name'
and if that works, done; otherwise
3: Try "fiend name"
.
| makeresults
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash_dash=strptime($field.sample$, "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash_dash=strptime($field sample$, "%b %e, %Y %H:%M:%S %Z")
This works, awesome
| makeresults
| eval field_sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval field.sample=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval "field sample"=strftime(_time,"%b %e, %Y %H:%M:%S %Z")
| eval result1=strptime(field_sample, "%b %e, %Y %H:%M:%S %Z")
| eval result2=strptime(field.sample, "%b %e, %Y %H:%M:%S %Z")
| eval result3=strptime("field sample", "%b %e, %Y %H:%M:%S %Z")
| eval result2_dash=strptime('field.sample', "%b %e, %Y %H:%M:%S %Z")
| eval result3_dash=strptime('field sample', "%b %e, %Y %H:%M:%S %Z")
Interestingly, the field in the case of function arguments needs to be enclosed in single quotes.