Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

return function on field with spaces

kwanx
Explorer
‎08-29-2017 10:55 AM

Hello - searched, but no answer found.

...| return 10 "Name of Field"

Gives:
Name="" of="" Field=""

I know that I can rename this field, but the goal is to get the actual correct name with spaces as it is used in another sourcetype with the same format.

Any ideas please?

0 Karma
Reply

fbehe
Explorer
‎08-30-2017 01:19 AM

As already said by previous comments, correct solution would be to use spaceless names, but if you cannot change the field name, one workaround would be to add a rename command before the return

Instead of having

... | return 10 "Name of Field"

You would have

... | rename "Name of Field" as foo | return 10 foo
0 Karma
Reply

tchintam
Path Finder
‎06-07-2018 08:36 AM

Can I pass that 10 from a count? I mean say suppose I have this command stats count as count which gives me 10. How I do write the return query->

|return count foo

0 Karma
Reply

niketn
Legend
‎08-29-2017 11:48 PM

@kwanx, what is your use case? What are you trying to do? It would be possible for us to suggest alternative if you can share complete SPL.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

woodcock
Esteemed Legend
‎08-29-2017 07:31 PM

I do not believe that this can be; even so, it would be best if you didn't.

Best Practice: Do not use field names with spaces.
Even Better Practice: Only use "clean" names:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#Clean_keys

0 Karma
Reply

somesoni2
Revered Legend
‎08-29-2017 01:00 PM

Not sure if it's a bug/limitation/design, but return command only accepts fields with clean names (no spaces). The workaround would be like this

...| head 10 | table "Name of Field" | format
0 Karma
Reply

kwanx
Explorer
‎08-29-2017 01:18 PM

maybe so; that yields:

( ( "Name=\"\" of=\"\" Field=\"\"" ) )

0 Karma
Reply

somesoni2
Revered Legend
‎08-29-2017 01:36 PM

Try this runanywhere search.

| gentimes start=-10 | eval "Name of field"=starttime | table "Name of field" | format

output:

( ( "Name of field"="1503118800" ) OR ( "Name of field"="1503205200" ) OR ( "Name of field"="1503291600" ) OR ( "Name of field"="1503378000" ) OR ( "Name of field"="1503464400" ) OR ( "Name of field"="1503550800" ) OR ( "Name of field"="1503637200" ) OR ( "Name of field"="1503723600" ) OR ( "Name of field"="1503810000" ) OR ( "Name of field"="1503896400" ) )
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2017 11:34 AM

Have you tried using single quotes around the field name?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kwanx
Explorer
‎08-29-2017 12:05 PM

yes, simiar results 😕

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...