I am trying to send raw HEC messages and have Splunk auto parse the key/value pair. For example, the following curl statement results in a field called foo with a value of bar... and a field called apple and a value of red:
curl -k https://HOST:PORT/services/collector/raw -H "Authorization: Splunk TOKEN" -d '"foo=bar, apple=red"'
However, if I want to send a value with a space, such as apple=very red, it breaks down. Single ticks don't work, escaped quotes don't work, and no quotes doesn't work:
curl -k https://HOST:PORT/services/collector/raw -H "Authorization: Splunk TOKEN" -d '"foo=bar, apple=\"very red\""'
This must be possible. Hopefully others have run into it. Thanks in advance!
Have you tried using URL Encoding?
As an example, you could POST a name to have it encoded by curl:
curl --data-urlencode "apple=very red" http://example.com
…which would send the following data in the actual request body:
apple=very%20red
The following site has a full explanation and examples of this with curl: https://ec.haxx.se/http-post.html