Re: can't use a field with special characters in s...

pavan_injarapu · ‎02-07-2020

I have a field named '_@timestamp' in my data. When i search for this field, the result doesn't show up. May be because this is being treated as an internal field by Splunk. How to query for this field?

index::<> | fields _@timestamp time

Fields section resulted from 'search' only has time field but not _@timestamp

to4kawa · ‎02-07-2020

|makeresults
| eval "_@timestamp"=now()
| eval time='_@timestamp'
| rename "_@timestamp" as visible_time

hi @pavan_injarapu
That's a great field name.

adonio · ‎02-07-2020

try something like this:
index::<yourindexhere> | fields _@timestamp time | eval time2 = _@timestamp

pavan_injarapu · ‎02-07-2020

Thanks for the response Adonio, its not working

adonio · ‎02-07-2020

switch it then:
index:: | eval time2 = _@timestamp| fields time2 time

pavan_injarapu · ‎02-07-2020

I tried all such combinations already 🙂

Vijeta · ‎02-07-2020

May be the field is not parsed or extracted , its part of raw event only. In order to use it you need to create a field extraction. Can you share some sample log please.

can't use a field with special characters in search --> _@timestamp

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?