Hello -- I am logging incoming HTTP requests to my logs, what would be the best format for Splunk to pick them up in if one of the values has JSON? Example:
user=jsmith method=POST path=/a/path payload="{some: "thing"}"
or
user=jsmith method=POST path=/a/path payload={some: "thing"}
or some other way? Thanks.
I would say KV_MODE=auto
should be fine. You can create field extraction for JSON data using Interactive Field Extractor using regular expression.