We have messages that have tabs replaced with #011 along with other control characters (See rsyslog EscapeControlCharactersOnReceive setting) but we do not want to turn this setting off. Ideally, we want to have Splunk split on #011 in addition to the existing splitting tokens (real tab, spaces, etc). When we have log lines like:
#011Testing 123
We are unable to search for "Testing" without specifying it as a wildcard or some other substring technique. We would like to be able to search for Testing as if it a log line without the #011 replacement.
... View more