Solved: Addition of '=' between events

lohit · ‎05-28-2015

Hi all ,

I have a indexes which is capturing logs in real time. However i have observed a strange thing happening when events are indexed in splunk. Splunk is adding a '=' between the event text. Below is an small snippet from logs

Raw logs:
2D 0A 41 63 Firefox/38.0..Ac
000 cept:

Splunk Indexed logs:
User-Agent: Mozilla/5.0 () Gecko/21 Fir=
efox/38.0

I am not what is happening. are my events being truncated ?

Any help !!

woodcock · ‎05-28-2015

This is not Splunk; I am sure it is happening in your raw files before Splunk touches them. This is a sign of Quoted-printable encoding; QP works by using the equals sign "=" immediately followed by carriage return as an escape character to indicated a forced line-break, usually to limit the line length to 76, as some software/protocols (e.g. SMTP) have limits on line length.

View solution in original post

woodcock · ‎05-28-2015

This is not Splunk; I am sure it is happening in your raw files before Splunk touches them. This is a sign of Quoted-printable encoding; QP works by using the equals sign "=" immediately followed by carriage return as an escape character to indicated a forced line-break, usually to limit the line length to 76, as some software/protocols (e.g. SMTP) have limits on line length.

lohit · ‎05-28-2015

Thank you Woodcock.

Addition of '=' between events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation