Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dealing with field names with a period in it

hcastell
Path Finder
‎01-30-2015 12:00 PM

Hi all, I have the following in a macro that I'm basically using to retrieve a integer value that will be used later in my search string:

| eval TestRxSNRTemp=split(Ipd.TestRxSNR," ")
| eval TestRxSNRValue=mvindex(TestRxSNRTemp,0)

The value of Ipd.TestRxSNR field will typically be a value like 20db. I just need the 20. Using the above does not yield the result I'm looking for. Unfortunately, the fields with the period in the name are in input files (XML files) that I don't have any controller over. I'm trying to figure out a way to work around this. I was wondering if there was a way to use the field name (with the period) as is? Thanks for your support.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

hcastell
Path Finder
‎01-30-2015 12:46 PM

Sorry to be unclear. Basically all I needed was to use single quotes around the field name as you instructed. Works fine now. Thanks for your help.

View solution in original post

Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-30-2015 01:23 PM

Periods shouldn't pose a problem. Try using the rename command to rename one of your fields to include a .; no worries there.

There are a ton of ways to approach this. The first thought, personally, is to use regular expressions ! Here is but one way; if it doesn't work just post a comment and I'll revise.

There is a cool sed mode on the rex command, check it like this:

| rex field=Ipd.TestRxSNR mode=sed "s/[^0-9]//g"

What's this black magic? you screech? Ah, nothing but a global blank substitution for anything that isn't a number in the field we specify.

0 Karma
Reply
Solved! Jump to solution

hcastell
Path Finder
‎01-30-2015 02:30 PM

Thanks for the suggestion. May try that one day. This time around the single quote did the trick.

Reply
Solved! Jump to solution
Solution

hcastell
Path Finder
‎01-30-2015 12:46 PM

Sorry to be unclear. Basically all I needed was to use single quotes around the field name as you instructed. Works fine now. Thanks for your help.

Reply
Solved! Jump to solution

acharlieh
Influencer
‎01-30-2015 12:11 PM

I'm not entirely sure what you're asking here. To use fields with special characters in them in eval and where functions you'd use single quotes to refer to the fields. (E.x. 'lpd.TestRxSNR' ) If you're having trouble extracting a value, you could also consider the rex command to use a regular expression instead.

Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-30-2015 12:34 PM

If possible, @acharlieh, please convert your comment to an answer and @hcastell, mark it as accepted. Thanks !

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎01-30-2015 12:44 PM

Converted!

Reply
Solved! Jump to solution

hcastell
Path Finder
‎01-30-2015 12:29 PM

Sorry to be unclear. Basically all I needed was to use single quotes around the field name as you instructed. Works fine now. Thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...