Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- bug with eval + isnull and field name with a numer...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
brettcave
Builder
06-12-2013
04:50 AM
hi, not sure if this is a bug or i am doing something wrong, I think it has something to do with a fieldname starting with a numeric.
... | eval 24hour="1day" | eval test=if(isnull(24hour),"Yes","No")
error: Error in 'eval' command: The expression is malformed. Expected ).. If I rename the field to "hour24" it works without complaining...
is there a restriction with using fieldnames that have a numeric as first character?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
06-12-2013
05:22 AM
Splunk only accepts field names that contain alpha-numeric characters or an underscore:
Valid characters for field names are a-z, A-Z, 0-9, or _ .
Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables.
International characters are not allowed.
You can force splunk to extract fields (through REPORT in props.conf) that start with a number or are all numeric, but there might be problems down the line, like you've experienced. I would not call it a bug, since it's rather well documented, but I understand it can be annoying.
See the section on field extraction in props.conf
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf
See the CLEAN_KEYS attribute in transforms.conf as well.
http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Transformsconf
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as
well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include
non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
06-12-2013
05:22 AM
Splunk only accepts field names that contain alpha-numeric characters or an underscore:
Valid characters for field names are a-z, A-Z, 0-9, or _ .
Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables.
International characters are not allowed.
You can force splunk to extract fields (through REPORT in props.conf) that start with a number or are all numeric, but there might be problems down the line, like you've experienced. I would not call it a bug, since it's rather well documented, but I understand it can be annoying.
See the section on field extraction in props.conf
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf
See the CLEAN_KEYS attribute in transforms.conf as well.
http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Transformsconf
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as
well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include
non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
brettcave
Builder
06-12-2013
06:00 AM
thanks K, now stored in my internal reference for future use 🙂
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
