Getting Data In

How to avoid influence of equal sign in text string when Splunk HEC parses JSON?

cdp_fap
Observer

I was tring to ingest data into Splunk via HEC. One field of my data is:

myKey1 = " This is my Application message log, myKey2=myValue2 in the text."  There is a Key=VALUE enclosed in the value of Field_name.

Splunk will parse the data into two key:

myKey1 = " This is my Application message log, KEY=VALUE in the text." 

myKey2=myValue2

myKey2=myValue2 is part of the myKey1.

 

I don't want it. What I can do to avoid the influence of an equal sign in the text string?

 

Labels (1)
0 Karma

dural_yyz
Builder

Question: Have you attempted the same search SPL in 'Fast Mode' vs 'Smart or Verbose Modes'.   Part of the power of Splunk is how much it tries to help you.  In this case the Search Head may be trying to auto detect fields for the user.

You could if required reduce the length of the event which field discovery will attempt, I believe default is ~10,000 characters to something much lower.  However, I think that would overall be a poorer experience for your user base.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...