Some of our data is logged in key value format separated by an equal sign (=), e.g.:
Splunk's auto-extractions works very well with that. However, if a field's data contains an equal sign, things work, but are not perfect. Take a look at this example:
As expected, the field
ComputerNameDn is exctracted with the data
CN=XD71DDC,OU=Computers,OU=HK,DC=hk,DC=test. So far, so good. But I get additional fields:
CN -> XD71DDC OU -> Computers DC -> hk
I don't want those. How can I escape the equal sign in the data so that the additional fields do not get extracted?
You can create your own
KV_MODE extractions like this:
REPORT-kvmode = double_quote_kvps
[double_quote_kvps] FORMAT = $1::$2 MV_ADD = 1 REGEX = ([^=\s]+)="([^"]+)" SOURCE_KEY = _raw
Unless I am misreading your regex it breaks when there are escaped double quotes, e.g. MyKey="a=1, b=2, c="1 or 2""
Not sure how to make the backslashes appear correctly in these comments, I am afraid.