I create summary index and I have some values as encrypted string
example: applicant.msisdn="oaXjWo017vONwgUvO1WBvg=="
In the the summary index _raw field applicant.msisdn value is correct but the value of search-time extraction is applicant.msisdn=oaXjWo017vONwgUvO1WBvg with trailing "=" stripped.
I look at default transforms.conf for stash sourcetype :
[stash_extract]
DELIMS = ",", "="
CAN_OPTIMIZE = false
MV_ADD = true
CLEAN_KEYS = false
I don't understand why the trailing "=" disappear e how I can correct this behavior
Thanks in advance
Hi @clagese , I have also stumbled on the same issue. So did you manage to find a way around this?
It would seem the DELIMS
attribute is the culprit. The "="
tells Splunk to treat equals signs as a separator between a field name and its value. I don't know how to fix it, however, as changing that setting may affect all summary indexes.