OK. So this is not about Splunk's metadata format as much as rendering it for export. I suppose you can tweak it a little. The key part here is this transform [metadata_meta]
SOURCE_KEY = _meta
RE...
See more...
OK. So this is not about Splunk's metadata format as much as rendering it for export. I suppose you can tweak it a little. The key part here is this transform [metadata_meta]
SOURCE_KEY = _meta
REGEX = (?ims)(.*)
FORMAT = ~~~SM~~~$1~~~EM~~~$0
DEST_KEY = _raw It's being called as the first one (except for the one manipulating routing) and it exports whole _meta as-is. So you need to change it to: [sanitize_metadata] INGEST_EVAL = escaped_meta=replace(_meta,"::","=") [metadata_meta] SOURCE_KEY = escaped_meta REGEX = (?ims)(.*)
FORMAT = ~~~SM~~~$1~~~EM~~~$0
DEST_KEY = _raw And of course adjust props to call the sanitize_metadata first TRANSFORMS-zza-syslog = syslog_canforward, sanitize_metadata, metadata_meta, metadata_source, metadata_sourcetype, metadata_index, metadata_host, metadata_subsecond, metadata_time, syslog_prefix, syslog_drop_zero