My logs contain many kv pairs, and some field names contain hyphens characters as well:
timestamp="PST 2015-12-01 11:26:36,400", level="INFO", x-sid="123456789", x-ip="127.0.0.1" , x-state="ALIVE"
My goal is to retain the hyphen - characters in the field names; thus setting CLEAN_KEYS = false in transforms.conf, and also like splunk to auto-extract the kv pairs:
# props.conf
[mytest]
NO_BINARY_CHECK = true
KV_MODE = auto
REPORT-blah = keephyphen
# transforms.conf
[keephyphen]
CLEAN_KEYS = false
However, despite CLEAN_KEYS = false already set in transforms.conf, splunk still replaces the hyphens in the field names with underscore characters:
x-sid --> x_sid, x-ip --> x_ip , x-state --> x_state
Did I misconfigure the transforms.conf stanza, or does Splunk not support CLEAN_KEYS=false and KV_MODE=auto combination?
... View more