Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk break a saved search report if a field value contains a colon. Do I need to escape the colon and how?

sunbol
New Member
‎08-03-2015 07:09 AM

Splunk breaks saved search report if the field value contains a colon. My source record is below.

[2015-07-29 12:43:53,782  user: ataeva | userAsIsCase: AtaevA | action: approved | name: ia_promotions | id: 1370545662068 | assettype: SECArticle | target: 1370539530396 | division_office: OIEA | assetlink: http://wcm.sec.gov/servlet/ContentServer?id=1370545662068&AssetType=SECArticle&cs_environment=standa... | title: Investor Alert:  Fraudulent Stock Promotions |  Status: Approved | url: http://www.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stageurl: http://wcm.sec.gov/oiea/investor-alerts-bulletins/ia_promotions.html | stagehost: wcm.sec.gov | deliveryhost: www.sec.gov | path: oiea/investor-alerts-bulletins/ia_promotions.html

Take a look at the title: field value. It has colon after Investor-Alert: How to fix this? Do I need to escape it and how?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 08:11 AM

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 08:11 AM

You can fix this one of 2 ways: you can have the person who creates these events encapsulate the title value inside double quotes so that it shows up as ... | title: "Investor Alert: Fraudulent Stock Promotions" | ... OR you can use different approach for KVP extraction (I assume that you are using something like | extract pairdelim="|", kvdelim=":") that is more directly programmable. Try this:

In props.conf:

[mySourceType]
REPORT-search_time_extractions = my_KPVs

In transforms.conf:

[my_KVPs]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:]+):\s+([^\|]*)(?:\s+\||$)
SOURCE_KEY = message
0 Karma
Reply
Solved! Jump to solution

sunbol
New Member
‎08-03-2015 09:06 AM

Thanks Woodcock. First option requires a JAR deployment and restart of the server on the splunk forwarder side. Second option requires admin access to update transforms? Am I right? I haven't created any prop extracts for the Title field.
Though based on your inputs, I am thinking adding the following regex to my saved search. Please let me know your thoughts.

Since the data set isn’t large, planing on regular expression to redefine field title. Insert

| rex field=_raw "|\s+title:\s+(?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-03-2015 09:37 AM

You can add a props entry and a transforms entry from the GUI without full admin privileges depending on how your roles are setup. As far as extracting your Title, you can do this:

| rex field=_raw "\|\s+title:\s+(?<Title>[^\|]*)(?:\s+\||$)"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...