Question:
When using the keyvalue operator to extract defined fields from a log message, the fields often contain special characters. When we attempt to aggregate on an extracted value that contains a special character, we receive an error message similar to the following:
string matching regex `\z' expected but `-' found
How do we reference a field name that contains a special character?
Answer:
The way the Sumo Logic search language is specified, it allows only [a-zA-Z_] as valid characters for identifiers for fields. In cases where a field name contains special characters, you need to escape the field name by using the following syntax when calling the field in the query:
%"<field_name>"
Here's an example:
| keyvalue regex " ([A-Z_-]+?)='([^']+?)'" keys "TYPE", "MESSAGES", "CHANNEL", "DOCUMENT-URI" | count by %"document-uri"
Comments
0 comments
Please sign in to leave a comment.