Automatic key-value field extraction does not handle special characters ?



Here is the raw text of my event.

{"country_code":"FR","currency":"EUR","reseller":"Franc\u00e9 Loisirs"}

(note: in the Splunk interface, "Franc\u00e9 Loisirs" is shown correctly "Francé Loisirs")

As you can see, the value of "reseller" contains a special character.
Using spath allows me to return the event:

index="ebook_sales" | spath reseller | search reseller = "Francé Loisirs"

But a classic attribute search returns nothing:

index="ebook_sales" reseller = "Francé Loisirs"

Do you know how to work out this issue?

The input is an HTTP event collector. I tried to use:
- the _json sourcetype
- a custom sourcetype where I played with index-time field extractions and autokv, (even if the default configuration should have done the job)

But I cannot find a solution.

0 Karma


Could it be a Splunk issue?

0 Karma