Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Splunk 6.5.1 not able to search when event has data with delimiter ~ while field extraction is working as expected?

NeerajDhapola7
Path Finder
‎03-16-2017 03:02 PM

Why is Splunk 6.5.1 not able to search when event has data with delimiter ~, while field extraction is working as expected. Issue with search with extracted field=value

another question while extracting fields i was using !#! as separator but its not working.
Can't we use multiple characters as separator !#! ?

Thanks
Neeraj Singh Dhapola

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎03-20-2017 12:03 PM
  1. DELIMS = "~" should work for events like "Value01~Value02~Value03"
  2. DELIMS = "!#!" will translated as "! OR # OR !" because DELIMS takes one character as a separator.

If this does not help, please provide examples of events, configuration of props and transforms.

0 Karma
Reply

NeerajDhapola7
Path Finder
‎03-20-2017 12:32 PM

@Masa Thanks for the response

  1. DELIMS = "~" should work for events like "Value01~Value02~Value03"

Event data example :
2017/03/13 17:04:03.901000~13-MAR-17 05.04.03.885000 PM~13-MAR-17 05.04.03.886000 PM~xxx Client~xxxx~~com.ConnectionError: Error while connecting to remote host.~~~xxxxxxxx~xxxxxxxxxx~xxxxxx/~PASS~xxxxxx~BIS~~xxxx-xxxx-xxx-xx-xxxx~xxxx-0849-11e7-xxx-xxxxx~0~0
When you do mouse over to extract the field for the search splunk is not able to separate with ~ sign OR
once you did field extract after the if you do query on field (i.e field1=xxxx) not able to get result.

I hope this will make more clear. (as of now I have changed ~ to | )

  1. DELIMS = "!#!" will translated as "! OR # OR !" because DELIMS takes one character as a separator. Yes, this one resolved the issue as I can use only one character as separator. Issue is when I am selection OTHER and its showing text box where I can give more then 1 character which is giving sense that I can use more then 1 characters as separator. Need to update TEXT box length as 1
0 Karma
Reply

niketn
Legend
‎03-17-2017 03:29 PM

@NeerajDhapola7... Please add mocked up test data, field extraction you have created, search with issue and what is the issue.
Please provide more context for your second issue as well. Add example with special characters as separators and also what was the field extraction which did not work?

Following is a run anywhere example which works fine for me. Kindly provide more details and mock data so that we can assist.

| makeresults
| eval teststr="my test string !#! with ~ tilde and separator !#! with issues"
| rex field=teststr "(?<data1>.*)\!\#\!(?<data2>.*)\!\#\!(?<data3>.*)"
| eval newstr=if(match(data2,"~"),"Found Tilde","Tilde Not found")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

jaredlaney
Contributor
‎01-15-2020 01:39 PM

This is an old question but I'm seeing the same strange behavior with tilde as a delimiter. I'm going to see if I can recreate with data.

0 Karma
Reply

payl_chdhry
Explorer
‎03-12-2020 11:50 PM

found any solution for this? We too as facing issue with tilde as delimiter.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...