Solved: Quote escaping best practices

stevennoble · ‎11-12-2013

I'm trying to figure out how I can format my logs such that splunk does not get confused by an escaped quote.
I'm currently doing something like

foo="a bunch of \"text\"" bar="a bunch \"more\" text"

And of course this quite confuses splunk. Assuming we don't want to switch to json how best to deal with quotes since backslash escaping doesn't seem to work.

jtrucks · ‎11-12-2013

You will have to manually create field extractions to accommodate these logs. Once those are all configured and working, you shouldn't have to worry about auto-extracted fields with bad data. Check out KV_MODE in props.conf to disable auto-extracts for this source, too.

--
Jesse Trucks
Minister of Magic

View solution in original post

stevennoble · ‎11-12-2013

Been playing with this. It appears KV_MODE = auto_escaped does everything I want

helge · ‎10-17-2018

This is the better answer

jtrucks · ‎11-12-2013

You will have to manually create field extractions to accommodate these logs. Once those are all configured and working, you shouldn't have to worry about auto-extracted fields with bad data. Check out KV_MODE in props.conf to disable auto-extracts for this source, too.

--
Jesse Trucks
Minister of Magic

stevennoble · ‎11-12-2013

I don't mind escaping at search time. What I do mind is an extracted field of
foo: a bunch of

I can't change to single quotes because there are times where the single quote double quote distinction matters.

lukejadamec · ‎11-12-2013

If you use escape characters and quotes in your logs, then you will need to escape them both at search time.
If you don't wan't to escape quotes at search time, then use some a single quote in your logs.

Quote escaping best practices

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms