Getting Data In

Safe characters for field names

cphair
Builder

What is the "safe" character set to use for field names, especially in lookups? By "safe" I mean "no need to quote-escape in a search." I know [a-zA-Z0-9_] works--is there anything else? Periods are sort of valid, but they can do funny things in evals. Basically I'm looking for a secondary separator character in addition to the underscore.

The only official Splunk doc I could find on the topic was the indexed field extraction doc (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), but I don't need to define these at index time or in the conf files.

Labels (1)
0 Karma
1 Solution

skalliger
SplunkTrust
SplunkTrust

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

View solution in original post

0 Karma

twjack
New Member

I'm a bit desperate, I'm trying to normalize all field names and remove special characters (https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters) so that a following "foreach" doesn't throw an error. All field names should only contain valid characters.

Can anyone help me?

0 Karma

to4kawa
SplunkTrust
SplunkTrust

I think you are right. but this question is accepted and closed.
please ask another.

0 Karma

Graham_Hanningt
Builder

Not an answer, and setting aside your understandable "no need to quote-escape" qualification: I have just been searching the Splunk docs for the set of characters allowed in field names. The documentation is inconsistent. Different topics cite different sets of characters.

From Splunk docs / Documentation / Splunk Enterprise / Getting Data In / Create custom fields at index time:

Field name syntax restrictions

You can assign field names as follows:

  • Valid characters for field names are a-z, A-Z, 0-9, or _ .

Similarly, from Splunk docs / Documentation / Splunk Cloud / Knowledge Manager Manual / Field Extractor: Select Fields step:

Field names must start with a letter and contain only letters, numbers, and underscores.

But then, Splunk docs / Documentation / Splunk Enterprise / Knowledge Manager Manual / About regular expressions with field extraction:

Proper field name syntax
Field names must conform to the field name syntax rules.

  • Valid characters for field names are a-z, A-Z, 0-9, . , :, and _.

adds the period (.) and colon (:).

0 Karma

skalliger
SplunkTrust
SplunkTrust

Field names are field names. So use the mentioned characters only.

Valid characters for field names are
a-z, A-Z, 0-9, or _ . Field names
cannot begin with 0-9 or _ . Splunk
reserves leading underscores for its
internal variables. Avoid assigning
field names that match any of the
default field names. Do not assign
field names that contain international
characters.

Skalli

View solution in original post

0 Karma

cphair
Builder

I was afraid of that. Would be nice if there were a second separator-like character, but I'll make do. Thank you for confirming.

0 Karma

niketnilay
Legend

@cphair you can refer to the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutregularexpressionswithfieldextrac...

Also you can try creating a Field Extraction using Interactive Field Extractor where you will get Field names must start with a letter and contain only letters, numbers, and underscores. warning in case you provide invalid field name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!