Re: Extracting field value gets encoded. Why?

jkim34 · ‎01-08-2018

I have extracted value from the message log. So I have custom field with its value.
In the log, it displays "* myName=J&K *"
The extract field is myName, and it's value is now "J\u0026K".
Even when I export this in PDF or CSV, encoded value gets displayed.

Why is this occurring, and is there way to prevent automatic encoding?

p_gurav · ‎01-10-2018

Hi jkim34,

Could you try this regex "myName=(?P[^,\s*(next*)]+)"

jkim34 · ‎01-10-2018

Hi p_gurav,
This don't seem to work. Also other field-value do contain white spaces, commas, etc.
This issue so far seems to be an issue with character & < >
At this point, I'm wondering if this is OOTB issue, or something that needs to be done inside configuration file..

ddrillic · ‎01-10-2018

-- This issue so far seems to be an issue with character & < >
Why does it feel like your data is being treated like XML data? ; - )

jkim34 · ‎01-11-2018

You are right. Maybe I should revise my question a bit 🙂

p_gurav · ‎01-10-2018

My bad, Try this:

myName=(?P<myname>[^,\s*(next*)]+)

jkim34 · ‎01-10-2018

Sorry, I've actually tried this with bracket <>

p_gurav · ‎01-10-2018

Could you please tell me exact search command you are running and one whole sample event?

jkim34 · ‎01-10-2018

Besides regex I stated above, I have following additional information:
Log Message=Form [myAddress=1 Main St., myName=J&K, myPhoneNumber=111-111-1111]
Search Command=search term | table myName

somesoni2 · ‎01-08-2018

How are you extracting the field? Can you share configuration/regex for it?

jkim34 · ‎01-09-2018

Hi, regex is something like below:

(?<=myName=){1}(?P<myName>.+)(?=, nextKeyWord)

Where it looks for the preceding regex just before the value that I'm extracting for, and until it sees , nextKeyWord

Extracting field value gets encoded. Why?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability