Splunk Enterprise

Why is Splunk deleting 0 during parsing?

bosseres
Contributor

Hello, everyone!

I collect script logs from light forwarders to indexers directly. Logs looks like:

0348788934="Y";

0304394493="N";

0874844788="Y";

etc.

 

When in automatically parses on splunk i got fields 348788934=Y, 304394493=N and so on...

I did props.conf on indexers:

 

[my_sourcetype]

FIELD_DELIMETERS=;

 

but still not working, can anybody help?

Thank you

Labels (2)
0 Karma

mayurr98
Super Champion

Hi is it a multiline event? if yes, could you please put an example of an entire raw event.

bosseres
Contributor

will correct myself

logs starting with 0, but next goes letter, like this:

0HFGHWGHR = "Y";

0RURURIIRJS = "N";

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...