Hi,
I have a log that will dynamically add "fields" to log record based on some logic.
It's syslog begging + payload that looks like (example)
Sep 10 16:52:07 11.11.11.11 Sep 10 16:52:07 process[111]: app=test&key0=value0&key1=value1&key2=key...&keyN=valueN
how to automatically/dynamically extract all keyN to fields.
How is the props.conf section for this sourcetype? (Also see Field extraction configuration especially KV_MODE.) It is rather strange that Splunk doesn't already extract all pairs separated by =.
checked under the hood, looks like there is sourcetype transformations so that stanza didn't have KV_MODE.
I put KV_MODE=auto_escaped and it'll extract it automatically.
How is the props.conf section for this sourcetype? (Also see Field extraction configuration especially KV_MODE.) It is rather strange that Splunk doesn't already extract all pairs separated by =.