I'm having issues when writing events to Splunk's HTTP event collector. We have a good amount of existing queries that may need to be rewritten if this cannot be successful. The problem occurs when the POST content is in the following format:
{"event": "Tenant=\"FA1248BC-FC3C-48CF-BC1A-AC07518BAD5A\"\r\nDevice=\"1000\""}
The result is an escaped string in Splunk, which you can see in the attached photo. We need Splunk to unescape the escaped characters and insert line breaks where the Windows new line appears.
I believe this can be done by setting the sourcetype of the event and configuring it properly, but I haven't had any success thus far and I feel I've tried dozens of combinations of LINE_BREAKER and KV_MODE values.
Thanks
↧
How to set and configure the sourcetype to format events written to Splunk's HTTP event collector?
↧