Open brandonganem opened 8 years ago
TheProducer835
commented
8 years ago quotes would only be required if there were spaces in the key or value. Splunk Automagically recognizes key=value and auto extracts as field=value - is there some behavior you are seeing to the contrary?
brandonganem
commented
8 years ago You're right, the issue is there are no quotes when there are spaces in the logs currently. For example: Mon Jun 13 18:00:28 EDT 2016 name=PlayerEvent event_id= game_time=3220 world=World Name x=-94 y=151 z=262 action=player_connect player=xxxxxx message=You are not whitelisted on this server!
TheProducer835
commented
8 years ago Goodpoint. That field is new and should have quotes. Not sure it is required on all though.
brandonganem
commented
8 years ago I'm inclined to agree. Doesn't look like many need quotes, just a few that could have spaces.
Or better yet, move the output to JSON ;)
TheProducer835
commented
8 years ago I second that! I don't think there is a reason to keep it k=v honestly. @mzeb might have insight as to why it was K=V to begin with
KV pairs in the log should be quoted to ensure proper field use in Splunk.