Knowledge Management

In summary index trailing char "=" of field values are stripped

clagese
Explorer

I create summary index and I have some values as encrypted string

example: applicant.msisdn="oaXjWo017vONwgUvO1WBvg=="
In the the summary index _raw field applicant.msisdn value is correct but the value of search-time extraction is applicant.msisdn=oaXjWo017vONwgUvO1WBvg with trailing "=" stripped.
I look at default transforms.conf for stash sourcetype :

[stash_extract]
DELIMS       = ",", "="
CAN_OPTIMIZE = false
MV_ADD       = true
CLEAN_KEYS   = false

I don't understand why the trailing "=" disappear e how I can correct this behavior
Thanks in advance

0 Karma

darshan
Observer

Hi @clagese , I have also stumbled on  the same issue. So did you manage  to find a way around this?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would seem the DELIMS attribute is the culprit. The "=" tells Splunk to treat equals signs as a separator between a field name and its value. I don't know how to fix it, however, as changing that setting may affect all summary indexes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...