Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does Walklex return spaces before some of the field names, but fieldsummary does not?

Derson
Engager
‎01-29-2023 11:20 PM

Why does Walklex return spaces before some of the field names, but fieldsummary does not? When I see this without field extractions causing spaces in the field names, it usually looks like "special" fields this happens to. But these fields don't seem to exist if I try to search for or using them.

Is this as simple as an output parsing bug from walklex or an indexing bug adding a space? If so, 
1. Should the space be trimmed or the event be removed to get the correct results?
2. Any context on why this is happening with specific fields?

fieldsummary command with no spaces in field names:

 

index=indexName
| fieldsummary
| stats count by field

 

Example results from fieldsummary:

field
host
source
sourcetype
timestamp


walklex command with spaces in field names:

 

| walklex index=indexName type=field
| stats count by field

 

Example results from walklex:

field
 host
 timestamp
host
timestamp



Labels (2)
Labels
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...