"2013-12-19 11:13:23", "[INFO]", "30927", "MainProcess", "SSMITH"
My data is coming into Splunk in this format, and when I select to look at it in raw form this is an example of one of my logs. The issue I am having is that when I want to search for a field I have to search for it in the following way or it wont show up:
levelname=""[INFO]""
I need the initial quotes around each field because some of the fields may have commas in them and the delimiter is also a comma. Is there a config I can use so I don't have to escape the quotes when searching for a field value? Or any advice besides changing the delimiter to fix the issue?