Hi all ,
I have a indexes which is capturing logs in real time. However i have observed a strange thing happening when events are indexed in splunk. Splunk is adding a '=' between the event text. Below is an small snippet from logs
Raw logs:
2D 0A 41 63 Firefox/38.0..Ac
000 cept:
Splunk Indexed logs:
User-Agent: Mozilla/5.0 () Gecko/21 Fir=
efox/38.0
I am not what is happening. are my events being truncated ?
Any help !!
This is not Splunk; I am sure it is happening in your raw files before Splunk touches them. This is a sign of Quoted-printable encoding; QP works by using the equals sign "=" immediately followed by carriage return as an escape character to indicated a forced line-break, usually to limit the line length to 76, as some software/protocols (e.g. SMTP) have limits on line length.
This is not Splunk; I am sure it is happening in your raw files before Splunk touches them. This is a sign of Quoted-printable encoding; QP works by using the equals sign "=" immediately followed by carriage return as an escape character to indicated a forced line-break, usually to limit the line length to 76, as some software/protocols (e.g. SMTP) have limits on line length.
Thank you Woodcock.