- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extracting field value gets encoded. Why?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting field value gets encoded. Why?
I have extracted value from the message log. So I have custom field with its value.
In the log, it displays "* myName=J&K *"
The extract field is myName, and it's value is now "J\u0026K".
Even when I export this in PDF or CSV, encoded value gets displayed.
Why is this occurring, and is there way to prevent automatic encoding?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jkim34,
Could you try this regex "myName=(?P[^,\s*(next*)]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi p_gurav,
This don't seem to work. Also other field-value do contain white spaces, commas, etc.
This issue so far seems to be an issue with character & < >
At this point, I'm wondering if this is OOTB issue, or something that needs to be done inside configuration file..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-- This issue so far seems to be an issue with character & < >
Why does it feel like your data is being treated like XML data? ; - )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right. Maybe I should revise my question a bit 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad, Try this:
myName=(?P<myname>[^,\s*(next*)]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I've actually tried this with bracket <>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please tell me exact search command you are running and one whole sample event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Besides regex I stated above, I have following additional information:
Log Message=Form [myAddress=1 Main St., myName=J&K, myPhoneNumber=111-111-1111]
Search Command=search term | table myName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you extracting the field? Can you share configuration/regex for it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, regex is something like below:
(?<=myName=){1}(?P<myName>.+)(?=, nextKeyWord)
Where it looks for the preceding regex just before the value that I'm extracting for, and until it sees , nextKeyWord
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
