Question:

When using the keyvalue operator to extract defined fields from a log message, the fields often contain special characters.  When we attempt to aggregate on an extracted value that contains a special character, we receive an error message similar to the following:

string matching regex `\z' expected but `-' found

How do we reference a field name that contains a special character?

Answer:

The way the Sumo Logic search language is specified, it allows only [a-zA-Z_] as valid characters for identifiers for fields. In cases where a field name contains special characters, you need to escape the field name by using the following syntax when calling the field in the query:

%"<field_name>"

Here's an example:

| keyvalue regex " ([A-Z_-]+?)='([^']+?)'" keys "TYPE", "MESSAGES", "CHANNEL", "DOCUMENT-URI"
| count by %"document-uri"