Topics

| pdf version

How Splunk Works

Getting Started

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

Saved Searches and Alerts

Authentication

Data Distribution

Granular Access Control

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

How-To

Troubleshooting

Reference


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

punct::

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2

punct::

When Splunk classifies an event, it looks at the first thirty punctuation characters in the first line of the event. When you examine and use the punct event attribute, keep in mind:


  • Quotes and backslashes are escaped.
  • Spaces are replaced with an underscore (_).
  • Tabs are replaced with a "t".
  • Dashes that follow alphanumeric characters are ignored.
  • Interesting punctuation characters are: " ,;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^!"

Examples: 


####<Jun 3, 2005 5:38:22 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <>WLS Kernel<> <> <BEA-000360> <Server started in RUNNING mode>

Produces this punctuation: 


####<_,__::__>_<>_<>_<>_<>_<>_



172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

Produces this punctuation:


..._-_-_[:::_-]_\"_?=_/.\"__

Retrieved from "http://www.splunk.com/base/Documentation/3.0/Admin/Punct"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.