Solved: Log format for Splunk key=value

splunkreal · ‎07-26-2021

Hello guys,

do you advice this log format:

key=value instead of key="value" ? Thanks.

* If this helps, please upvote or accept solution 🙂 *

richgalloway · ‎07-26-2021

It depends. K=V is simpler to parse, but if the value contains spaces or commas then it must be quoted. If you must choose one or the other then go with K="V".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-26-2021

It depends. K=V is simpler to parse, but if the value contains spaces or commas then it must be quoted. If you must choose one or the other then go with K="V".

---
If this reply helps you, Karma would be appreciated.

kamlesh_vaghela · ‎07-26-2021

Yes @splunkreal

key="value" will more suggested than key=value.

If you go with key=value and in case the value has SPACE then Splunk field auto discovery will consider only first word of that value. In this case you have to write your own field extraction.

Here, I suggest you to create a sample file and index it with sample data (with double quotes and without double quotes) you will get it what is the best way to store value.

🙂

KV

Log format for Splunk key=value

field extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!