Splunk best practices say to use key/value pairs. It also says to wrap values in quotes if they contain spaces. So, let's say I have a raw value of Fred Smith
:
my_key=name my_value="Fred Smith"
That's fine, I've added the quotes. But what if I have a raw value of " Fred Smith"
(note the quotes already present and the presence of a space at the start) - this would yield:
my_key=name my_value="" Fred Smith""
This would be treated as:
my_key=name my_value=""
my_key=Fred my_value=Smith""
What are the best practices for escaping quotes in Splunk values?
If you control the data format, which it appears you do, your options include:
You can control the search-time field extraction behavior by setting KV_MODE
. You may find that auto_escaped
will do the trick. See Setting KV_MODE for search-time data in the Splunk Knowledge Manager manual.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With