Hi,
In case I have a key-value format and the name of the key starting with __ or every other invalid characters,
How can I ignore Splunk from changing the key name and keep it as is?
Thanks for your help
I believe you can avoid some cleanup (not recommended) if you're using custom field extraction using Field Transforms. Using following attribute:
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric
characters (characters other than those falling between the a-z, A-Z, or
0-9 ranges) in field names with underscores, as well as the stripping of
leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field
names that include non-alphanumeric characters, or which begin with
underscores or 0-9 characters.
* Defaults to true.
I'm pretty sure you can't do that.