Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does Walklex return spaces before some of the field names, but fieldsummary does not?

Derson
Explorer
‎01-29-2023 11:20 PM

Why does Walklex return spaces before some of the field names, but fieldsummary does not? When I see this without field extractions causing spaces in the field names, it usually looks like "special" fields this happens to. But these fields don't seem to exist if I try to search for or using them.

Is this as simple as an output parsing bug from walklex or an indexing bug adding a space? If so, 
1. Should the space be trimmed or the event be removed to get the correct results?
2. Any context on why this is happening with specific fields?

fieldsummary command with no spaces in field names:

 

index=indexName
| fieldsummary
| stats count by field

 

Example results from fieldsummary:

field
host
source
sourcetype
timestamp


walklex command with spaces in field names:

 

| walklex index=indexName type=field
| stats count by field

 

Example results from walklex:

field
 host
 timestamp
host
timestamp



Labels (1)
Labels
Tags (2)
0 Karma
Reply

rderson
Engager
‎05-14-2023 05:17 PM

Splunk stores everything in lower case, but fields are case sensitive. You'll notice that all the fields returned by Walklex that have a space at the start return with the correct case. Walklex is revealing the hidden backend way that Splunk stores case-sensitive field names. 

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...