Hi,
To make a long story short i have some logs that are key value pairs, like so:
foo="bar" dog="cat" frog="bat"
Unfortunately my Windows logging daemon converts to this:
[hostname] data="foo='bar' dog='cat' frog='bat'"
Splunk is actually handling the extractions just fine, except that each value pair is:
'bar', 'cat', 'bat'
(They have the included single-tick in the value.) Is there an easy way to fix this? From Splunk documentation and a blog post from 2008 i've gathered that the quotation marks around the values are called "quoters" and they are not configurable to be different characters like an apostrophe[1]. What else can i do?
[1] http://blogs.splunk.com/2008/02/12/delimiter-based-key-value-pair-extraction/
... View more