How to avoid influence of equal sign in text strin...

cdp_fap · ‎08-02-2022

I was tring to ingest data into Splunk via HEC. One field of my data is:

myKey1 = " This is my Application message log, myKey2=myValue2 in the text." There is a Key=VALUE enclosed in the value of Field_name.

Splunk will parse the data into two key:

myKey1 = " This is my Application message log, KEY=VALUE in the text."

myKey2=myValue2

myKey2=myValue2 is part of the myKey1.

I don't want it. What I can do to avoid the influence of an equal sign in the text string?

dural_yyz · ‎08-02-2022

Question: Have you attempted the same search SPL in 'Fast Mode' vs 'Smart or Verbose Modes'. Part of the power of Splunk is how much it tries to help you. In this case the Search Head may be trying to auto detect fields for the user.

You could if required reduce the length of the event which field discovery will attempt, I believe default is ~10,000 characters to something much lower. However, I think that would overall be a poorer experience for your user base.

How to avoid influence of equal sign in text string when Splunk HEC parses JSON?

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation