How do I convince Splunk that a backslash inside a...

Getting Data In

I have the following row in a CSV file that I am ingesting into a Splunk index:

"field1","field2","field3\","field4"

Excel and the default Python CSV reader both correctly parse that as 4 separate fields. Splunk does not. It seems to be treating the backslash as an escape character and interpreting field3","field4 as a single mangled field. It is my understanding that the standard escape character for double quotes inside a quoted CSV field is another double quote, according to RFC-4180:

"If double-quotes are used to enclose fields, then a double-quote appearing inside a field must be escaped by preceding it with another double quote."

Why is Splunk treating the backslash as an escape character, and is there any way to change that configuration via props.conf or any other way? I have set:

INDEXED_EXTRACTIONS = csv
KV_MODE = none

for this sourcetype in props.conf, and it is working fine for rows without backslashes in them.

Get Updates on the Splunk Community!

How do I convince Splunk that a backslash inside a CSV field is not an escape character?

CSV

field extraction

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation