- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, not sure if this is a bug or i am doing something wrong, I think it has something to do with a fieldname starting with a numeric.
... | eval 24hour="1day" | eval test=if(isnull(24hour),"Yes","No")
error: Error in 'eval' command: The expression is malformed. Expected ).. If I rename the field to "hour24" it works without complaining...
is there a restriction with using fieldnames that have a numeric as first character?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk only accepts field names that contain alpha-numeric characters or an underscore:
Valid characters for field names are a-z, A-Z, 0-9, or _ .
Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables.
International characters are not allowed.
You can force splunk to extract fields (through REPORT in props.conf) that start with a number or are all numeric, but there might be problems down the line, like you've experienced. I would not call it a bug, since it's rather well documented, but I understand it can be annoying.
See the section on field extraction in props.conf
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf
See the CLEAN_KEYS attribute in transforms.conf as well.
http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Transformsconf
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as
well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include
non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk only accepts field names that contain alpha-numeric characters or an underscore:
Valid characters for field names are a-z, A-Z, 0-9, or _ .
Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables.
International characters are not allowed.
You can force splunk to extract fields (through REPORT in props.conf) that start with a number or are all numeric, but there might be problems down the line, like you've experienced. I would not call it a bug, since it's rather well documented, but I understand it can be annoying.
See the section on field extraction in props.conf
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf
See the CLEAN_KEYS attribute in transforms.conf as well.
http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Transformsconf
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as
well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include
non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks K, now stored in my internal reference for future use 🙂
