punct::

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

punct::

When Splunk classifies an event, it looks at the first thirty punctuation characters in the first line of the event. When you examine and use the punct event attribute, keep in mind:

Quotes and backslashes are escaped.
Spaces are replaced with an underscore (_).
Tabs are replaced with a "t".
Dashes that follow alphanumeric characters are ignored.
Interesting punctuation characters are: " ,;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^!"

Examples:

####<Jun 3, 2005 5:38:22 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <>WLS Kernel<> <> <BEA-000360> <Server started in RUNNING mode>

Produces this punctuation:

####<_,__::__>_<>_<>_<>_<>_<>_

172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

Produces this punctuation:

..._-_-_[:::_-]_\"_?=_/.\"__

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.0.2/Admin/Punct"

« Configure auto-discovery Save event types via SplunkWeb »

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

punct::

punct::

Comments