I'm trying to figure out how I can format my logs such that splunk does not get confused by an escaped quote.
I'm currently doing something like
foo="a bunch of \"text\"" bar="a bunch \"more\" text"
And of course this quite confuses splunk. Assuming we don't want to switch to json how best to deal with quotes since backslash escaping doesn't seem to work.
You will have to manually create field extractions to accommodate these logs. Once those are all configured and working, you shouldn't have to worry about auto-extracted fields with bad data. Check out KV_MODE in props.conf to disable auto-extracts for this source, too.
Been playing with this. It appears KV_MODE = auto_escaped does everything I want
This is the better answer
You will have to manually create field extractions to accommodate these logs. Once those are all configured and working, you shouldn't have to worry about auto-extracted fields with bad data. Check out KV_MODE in props.conf to disable auto-extracts for this source, too.
I don't mind escaping at search time. What I do mind is an extracted field of
foo: a bunch of
I can't change to single quotes because there are times where the single quote double quote distinction matters.
If you use escape characters and quotes in your logs, then you will need to escape them both at search time.
If you don't wan't to escape quotes at search time, then use some a single quote in your logs.