Splunk Search

Does full key value not extract properly if it starts with a number?

msmapper
Path Finder

I have created a new log message that looks like

2018-06-27 11:28:01,743 WARN TestReporting , id="LJ99YUT5F1K", trans_timestamp="6/27/18 3:42 AM", 3d_secure_data="", arn="", purchase_amount="57.80", currency="USD"

All of my Key-value pairs do auto-extract but the one named 3d_secure_data does not seem to extract the full name. When you look at the Interesting Fields, the key is actually named d_secure_data, the 3 is being dropped off somehow. See screenshot

alt text

Is this a known key naming convention where keys can only start with alpha char or is this an issue with auto-extraction? I am using Splunk Enterprise 6.6.3.

I can work around the issue by remaining the key and spelling out the word three, Ijust want to know if this a known configuration setup or a bug.

Regards
Jen

0 Karma
1 Solution

ddrillic
Ultra Champion
0 Karma

ddrillic
Ultra Champion

The documentation says -

Getting Data In

alt text

0 Karma

msmapper
Path Finder

Thanks ddrillic! Not sure how I missed that in the documentation after all these years.

0 Karma

ddrillic
Ultra Champion

Sure thing - I wasn't sure either ; -)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...