Solved: Re: Addition of '=' between events

lohit · ‎05-28-2015

Hi all ,

I have a indexes which is capturing logs in real time. However i have observed a strange thing happening when events are indexed in splunk. Splunk is adding a '=' between the event text. Below is an small snippet from logs

Raw logs:
2D 0A 41 63 Firefox/38.0..Ac
000 cept:

Splunk Indexed logs:
User-Agent: Mozilla/5.0 () Gecko/21 Fir=
efox/38.0

I am not what is happening. are my events being truncated ?

Any help !!

woodcock · ‎05-28-2015

This is not Splunk; I am sure it is happening in your raw files before Splunk touches them. This is a sign of Quoted-printable encoding; QP works by using the equals sign "=" immediately followed by carriage return as an escape character to indicated a forced line-break, usually to limit the line length to 76, as some software/protocols (e.g. SMTP) have limits on line length.

View solution in original post

woodcock · ‎05-28-2015

This is not Splunk; I am sure it is happening in your raw files before Splunk touches them. This is a sign of Quoted-printable encoding; QP works by using the equals sign "=" immediately followed by carriage return as an escape character to indicated a forced line-break, usually to limit the line length to 76, as some software/protocols (e.g. SMTP) have limits on line length.

lohit · ‎05-28-2015

Thank you Woodcock.

Addition of '=' between events

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?