I have a log of the form
<timestamp> field1 field2 field3 field4 urlfield ....
For example:
<timestamp> field1 field2 field3 field4 http://mydomain.com?field2=blah
So what happens is that when a user uses one of my fields in an url, I don't get the true value of field2 (from my log) but instead Splunk is doing the keyvalue pair extraction for me and field2 is set to blah.
How do people generally handle this case?
@burwell can you add some sample events? You can mock/anonymize any sensitive data. Also share your props.conf and transforms.conf (if it is used for field extraction). What is the configuration you are using for extraction of field1, field2 etc? Are these actually extracted through regex or delimited string? By any chance is the source of data is csv file?
I rex the fields and name them something different
Can you try to disable auto KV (so set KV_MODE=none)?