I really wish Splunk would put the same intelligence for field extraction in the MKV output as for the KV output. The KV output is smart enough to escape funny characters and add quotes for strings with spaces in them.
Oh well. My solution was even simpler. Clean up the events at the source. I ended up cleaning up my poorly formatted strings by running regexp_replace in my SQL query where ever I knew I might have had an ugly string. This cleaned up any special control characters as well as un-matched quotes. With this string clean-up in place, going back and using the KV output worked perfectly:
select
to_char(lastmodified,'YYYY/MM/DD HH24:MI:SS') timestamp,
to_char(lastmodified,'YYYY/MM/DD HH24:MI:SS') lastmodified,
to_char(firstoccurrence,'YYYY/MM/DD HH24:MI:SS') firstoccurrence,
to_char(lastoccurrence,'YYYY/MM/DD HH24:MI:SS') lastoccurrence,
regexp_replace(summary,'[[:cntrl:]]|\"', '')summary,
regexp_replace(text1,'[[:cntrl:]]|\"', '')text1,
regexp_replace(text2,'[[:cntrl:]]|\"', ' ')text2,
regexp_replace(text3,'[[:cntrl:]]|\"', ' ')text3,
serial
from
Blah...
where
Blah-Blah
... View more