Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In summary index trailing char "=" of field values are stripped

clagese
Explorer
‎02-15-2018 10:15 AM

I create summary index and I have some values as encrypted string

example: applicant.msisdn="oaXjWo017vONwgUvO1WBvg=="
In the the summary index _raw field applicant.msisdn value is correct but the value of search-time extraction is applicant.msisdn=oaXjWo017vONwgUvO1WBvg with trailing "=" stripped.
I look at default transforms.conf for stash sourcetype :

[stash_extract]
DELIMS       = ",", "="
CAN_OPTIMIZE = false
MV_ADD       = true
CLEAN_KEYS   = false

I don't understand why the trailing "=" disappear e how I can correct this behavior
Thanks in advance

0 Karma
Reply

darshan
Observer
‎06-17-2021 01:54 AM

Hi @clagese , I have also stumbled on  the same issue. So did you manage  to find a way around this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2018 02:42 PM

It would seem the DELIMS attribute is the culprit. The "=" tells Splunk to treat equals signs as a separator between a field name and its value. I don't know how to fix it, however, as changing that setting may affect all summary indexes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...