I have input data that looks like:
time=2017-05-29 calendar:num_1day_active_users=10437 gplus:num_1day_active_users=1 docs:num_1day_active_users=0 gmail:num_1day_active_users=24594 drive:num_1day_active_users=15787
I have done minimal work to props.conf, mostly to set up timestamp parsing.
The problem is that all the field names are being extracted as num_1day_active_users, and I am only getting the first value in the event (I get num_1day_active_users=10437).
If the colon were a period, then Splunk would auto-convert it to an underscore, and the fields would extract with names calendar_num_1day_active_users, gplus_num_1day_active_users, docs_num_1day_active_users, gmail_num_1day_active_users, and drive_num_1day_active_users.
How can I get Splunk to do the same for field names that contain colons?
↧