Splunk Search

How do you run Splunk query for Field with brackets?

ratan2257
New Member

It might be a very simple answer, however I am not able to find it so far .

My splunk query has a field name "Size(MB)" . I can not get around with escape character, eval or Rex to run the query with this type of field .

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d **avg(Size(MB))** by DBname
0 Karma

lakromani
Builder

If your data is in for of like this:

bla bla Size(128)

Then you can extract it using regex like this:

index=dbx ServerName="bestserver" sourcetype=stats | rex "Size\((?<Size>[^\)]+)" | timechart span=1d avg(Size) by DBname
0 Karma

lakromani
Builder

For me this works: avg("Size(MB)")

You can try to rename the field like this:

your search | rename "Size(MB)" AS Size | timechart span=1d avg(Size) by DBname

PS You do have a space after span in you example. This does not work. Correct is span=1d not span =1d

0 Karma

ratan2257
New Member

It is not about the data , its Field name it self with brackets () .

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ratan2257

You just need double quotes around the name.

index=dbx ServerName="bestserver" sourcetype=stats | timechart span =1d avg("Size(MB)") by DBname

Thanks

0 Karma

ratan2257
New Member

Unfortunately that didn't worked.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ratan2257
Is it possible to share the sample event or screenshot of this field and value?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...