I'm trying to serialize into JSON and just keep the _raw field left over after bringing all the fields together. How do I prevent the double underscore internal Cribl fields from being inserted into the _raw field I'm creating?
https://docs.cribl.io/stream/introduction-reference#wildcard-lists|https://docs.cribl.io/stream/introduction-reference#wildcard-lists negate them with ! In the Fields to serialize field.
It didn't seem to work within the serializing function. I had to add an eval before the serialize and explicitly remove all double underscore fields that way
Kind of annoying
Since I'm not seeing them until I forward them to Splunk. They don't show up in my previews of my log samples
in the fields to serialize field:
`!* !cribl* *`
I see now. I had the wildcard first but you need to put all excludes first.
yep! let me know how it goes