kv parses just fine values within double quotes (and probably also with single quote). However, it parses the value as key-value if the value contains equal signs. This can be reproduced with an empty kv filter such as:
With the following item, the value in cgfattr get split further and we end up with weird keys in Elastic Search:
date=2015-05-18 time=14:13:48 devname=FG140XXXX devid=FG140XXXXT logid=0100044547 type=event subtype=system level=information vd="VirtualDomain" logdesc="Configure object attribute" user="user1" ui="jsconsole" action=Edit cfgtid=1790967809 cfgpath="system.wccp" cfgobj="101" cfgattr="password[ENC K7taRRarXYdpNvARTqktIeNcecPbJB6gsRQPLKjjftFAj81qnhoGStE4PKI9PGjYodn/Z/f26bcGG0FDpsq4scGzMONwrNuV973xkizVF/YawO8kDmdAlCJeFVHJG99J1gwVhxqjz6cmWSF5aI6FcgAfyk4gjh4yJe0p/oWks3bXxCT2Q/6juahXAIqBtIY9ZJCMJw==->ENC K7taRTt0SmYF1SbAdZes1UJbKzwzFyD/0nrlQ6JHH0Dir6kdtDCtdrT5f9/GfwxmkmAS7hNS+Tidmrrczxf1FNdedgIQIt6gVx+C1J63RWtOp+D68aDScOgBXkO05An3o8EGo4+GyYIr1yUtG1QEGYlbJ7ZhTkYNmpxCi55PdHFZeGROMjvhfB7cSwsGjHpskFk4ug==]" msg="Edit system.wccp 101"
kv parses just fine values within double quotes (and probably also with single quote). However, it parses the value as key-value if the value contains equal signs. This can be reproduced with an empty kv filter such as:
With the following item, the value in cgfattr get split further and we end up with weird keys in Elastic Search: