Out of the box, Splunk performs field extractions of name/value pairs separated by an "=" sign. We would like to know what special characters disrupt this tagging. For instance, name[subname]=value
name;subname=value
name#subname=value
will not tag appropriately. This does tag appropriately -
name_subname=value
How are other special characters handled?
Field names in Splunk must contain only alphabetic characters, numbers and underscore. The name may not begin with a number. In some cases, spaces are allowed, but not in automatic field extraction.
I expect that this is what is causing your problem. There are potentially ways around this:
General field extraction info: http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Addfieldsatsearchtime
More detailed info - probably the most useful page: http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Createandmaintainsearch-timefieldextract...
Tons of details here (look halfway down the page for Field Extractions): http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/Propsconf