I am trying to set up KV_MODE = auto_escaped for a particular source. The stanza looks like the following:
[source:///var/log/test.log]
KV_MODE = auto_escaped
I used the test data directly from the Splunk documentation:
field = "value with \"nested\" quotes."
The resulting search shows the field, field with a value with `\`.
I have set this in the props.conf on the deployer in the following areas:
$SPLUNKHOME/etc/master-apps/_cluster/local/props.conf
$SPLUNKHOME/etc/shcluster/apps/search/props.conf
Neither of these produce the correct results.
↧