How do you run Splunk query for Field with bracket...

ratan2257 · ‎09-22-2018

It might be a very simple answer, however I am not able to find it so far .

My splunk query has a field name "Size(MB)" . I can not get around with escape character, eval or Rex to run the query with this type of field .

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d **avg(Size(MB))** by DBname

lakromani · ‎09-23-2018

If your data is in for of like this:

bla bla Size(128)

Then you can extract it using regex like this:

index=dbx ServerName="bestserver" sourcetype=stats | rex "Size\((?<Size>[^\)]+)" | timechart span=1d avg(Size) by DBname

lakromani · ‎09-24-2018

For me this works: avg("Size(MB)")

You can try to rename the field like this:

your search | rename "Size(MB)" AS Size | timechart span=1d avg(Size) by DBname

PS You do have a space after span in you example. This does not work. Correct is span=1d not span =1d

ratan2257 · ‎09-23-2018

It is not about the data , its Field name it self with brackets () .

kamlesh_vaghela · ‎09-23-2018

@ratan2257

You just need double quotes around the name.

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d avg("Size(MB)") by DBname

Thanks

ratan2257 · ‎09-23-2018

Unfortunately that didn't worked.

kamlesh_vaghela · ‎09-25-2018

@ratan2257
Is it possible to share the sample event or screenshot of this field and value?

How do you run Splunk query for Field with brackets?