Some of our data is logged in key value format separated by an equal sign (=), e.g.:
field1=data1 field2=data2
Splunk's auto-extractions works very well with that. However, if a field's data contains an equal sign, things work, but are not perfect. Take a look at this example:
ComputerNameDn="CN=XD71DDC,OU=Computers,OU=HK,DC=hk,DC=test"
As expected, the field `ComputerNameDn` is exctracted with the data `CN=XD71DDC,OU=Computers,OU=HK,DC=hk,DC=test`. So far, so good. But I get additional fields:
CN -> XD71DDC
OU -> Computers
DC -> hk
I don't want those. How can I escape the equal sign in the data so that the additional fields do not get extracted?
↧