How do I prevent the double underscore internal Cribl fields from being inserted into the _raw?

Eric Reusche · September 2023

I'm trying to serialize into JSON and just keep the _raw field left over after bringing all the fields together. How do I prevent the double underscore internal Cribl fields from being inserted into the _raw field I'm creating?

Brandon McCombs · September 2023

https://docs.cribl.io/stream/introduction-reference#wildcard-lists|https://docs.cribl.io/stream/introduction-reference#wildcard-lists negate them with ! In the Fields to serialize field.

Eric Reusche · September 2023

It didn't seem to work within the serializing function. I had to add an eval before the serialize and explicitly remove all double underscore fields that way

Eric Reusche · September 2023

Kind of annoying

Eric Reusche · September 2023

Since I'm not seeing them until I forward them to Splunk. They don't show up in my previews of my log samples

Jon Rust · September 2023

in the fields to serialize field: `!* !cribl* *`

Eric Reusche · September 2023

I see now. I had the wildcard first but you need to put all excludes first.

Jon Rust · September 2023

yep! let me know how it goes

How do I prevent the double underscore internal Cribl fields from being inserted into the _raw?

Answers

Categories