We have customized our internal applications to a custom key=value schema and it usually works well. Splunk usually recognizes the fields just fine. However in one case it fails.
If the Logline contains
JSocketPlugInImpl: handled :/Workflow/getNextActions
Then the following line
Aug 14 14:34:51 172.26.1.10 14.08.2013 16:41:35 level=INFO stage=prod component=E3 application=evn version=V_06_02_08 service=/Workflow/getNextActions user=xXxXx JSocketPlugInImpl: handled :/Workflow/getNextActions, ReqLen[b]=1000, RspLen[b]=5505 (LogDecorator.java, line 118)
gives me in the field user "xXxXx JSocketPlugInImpl: handled :/Workflow/getNextActions"
Is there something i need to tweak? Or do we have to always put values into " ?
A working logline would be
Aug 15 07:08:26 172.26.1.10 15.08.2013 09:09:51 level=INFO stage=prod component=E3 application=evn version=V_06_02_08 service=/Workflow/setContainer user=xXxXx HPVTraceHandler: Execution of request /Workflow/setContainer [375961] RC=0 took ms: 0 (LogDecorator.java, line 118)
Seems to only affect lines with "JSocketPlugInImpl:"
Splunk will by default recognize field=value pairs and will also by default use "," as a delimiter between field value pairs. So this is simply default behaviour.
I have augmented the description.
Splunk will by default recognize field=value pairs and will also by default use "," as a delimiter between field value pairs. So this is simply default behaviour.
We'll change the app logging to see if it helps but yeah makes sense. Will close the question when we have verified this.
Can you post an event that does not cause this problem?