Why is Splunk 6.5.1 not able to search when event has data with delimiter
~, while field extraction is working as expected. Issue with search with extracted field=value
another question while extracting fields i was using !#! as separator but its not working.
Can't we use multiple characters as separator !#! ?
Neeraj Singh Dhapola
If this does not help, please provide examples of events, configuration of props and transforms.
@Masa Thanks for the response
Event data example :
2017/03/13 17:04:03.901000~13-MAR-17 05.04.03.885000 PM~13-MAR-17 05.04.03.886000 PM~xxx Client~xxxx~~com.ConnectionError: Error while connecting to remote host.~~~xxxxxxxx~xxxxxxxxxx~xxxxxx/~PASS~xxxxxx~BIS~~xxxx-xxxx-xxx-xx-xxxx~xxxx-0849-11e7-xxx-xxxxx~0~0
When you do mouse over to extract the field for the search splunk is not able to separate with ~ sign OR
once you did field extract after the if you do query on field (i.e field1=xxxx) not able to get result.
I hope this will make more clear. (as of now I have changed ~ to | )
@NeerajDhapola7... Please add mocked up test data, field extraction you have created, search with issue and what is the issue.
Please provide more context for your second issue as well. Add example with special characters as separators and also what was the field extraction which did not work?
Following is a run anywhere example which works fine for me. Kindly provide more details and mock data so that we can assist.
| makeresults | eval teststr="my test string !#! with ~ tilde and separator !#! with issues" | rex field=teststr "(?<data1>.*)\!\#\!(?<data2>.*)\!\#\!(?<data3>.*)" | eval newstr=if(match(data2,"~"),"Found Tilde","Tilde Not found")