I feel like I should know the answer to this, but just in case I missed something....
Splunk automatically handles field extractions for events like this very well:
Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]: successful login. user="joe" ip="10.0.0.99"
This works, but it results in all field values wrapped in literal single quotes:
Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]: successful login. user='joe' ip='10.0.0.99'
So `user` is now `'joe'` and `ip` is now `'10.0.0.99'` (Because the single quotes become part of the field's value.)
Is there a way to make this work more efficiently with Splunk's automatic KV mode ( `KV_MODE=auto` ) so that single quotes are treated as double quotes are traditionally handled?
I realize this can be done with a REGEX, but I was hoping for a better solution.
↧