Knowledge Management

In summary index trailing char "=" of field values are stripped


I create summary index and I have some values as encrypted string

example: applicant.msisdn="oaXjWo017vONwgUvO1WBvg=="
In the the summary index _raw field applicant.msisdn value is correct but the value of search-time extraction is applicant.msisdn=oaXjWo017vONwgUvO1WBvg with trailing "=" stripped.
I look at default transforms.conf for stash sourcetype :

DELIMS       = ",", "="
MV_ADD       = true
CLEAN_KEYS   = false

I don't understand why the trailing "=" disappear e how I can correct this behavior
Thanks in advance

0 Karma


It would seem the DELIMS attribute is the culprit. The "=" tells Splunk to treat equals signs as a separator between a field name and its value. I don't know how to fix it, however, as changing that setting may affect all summary indexes.

If this reply helps you, an upvote would be appreciated.
0 Karma