I create summary index and I have some values as encrypted string
In the the summary index _raw field applicant.msisdn value is correct but the value of search-time extraction is applicant.msisdn=oaXjWo017vONwgUvO1WBvg with trailing "=" stripped.
I look at default transforms.conf for stash sourcetype :
It would seem the DELIMS attribute is the culprit. The "=" tells Splunk to treat equals signs as a separator between a field name and its value. I don't know how to fix it, however, as changing that setting may affect all summary indexes.
--- If this reply helps you, Karma would be appreciated.