Can I add a field that isn’t added to _raw, like not show up in the JSON that is the event?
Can I add a field that isn't added to _raw, like not show up in the JSON that is the event?
Answers
-
static data or where would the field come from?
0 -
I mean, you can just set any field to an value, anything that is not _raw (and the few Splunk default fields) will end up as additional index time fields in Splunk
0 -
I'm setting an orig_index for tracking purposes and it is showing up in the JSON for the events.
0 -
That value is from the index specified on the UF when it comes into Cribl. The data is being forked, so one splunk instance needs the original index and the other needs a new, different index, but I need to keep track of that index for now.
0 -
Are you using the Serialize function to create the JSON or is the JSON coming in your original event? It's not clear.
0 -
These are added to the event, set in an eval in Cribl, which is also serializing the events: {`"orig_host":"DXXXXXXX5","orig_index":"XXXXX_windows_multi","orig_source":"XmlWinEventLog:Application"`,"Provider_Name":"Trellix Endpoint Security","EventID_Qualifiers":"8192","EventID__value":"3","Level":"2","Task":"0","Keywords":"0x80000000000000","EventRecordID":"61646","Channel":"Application","Computer":"http://DXXXXXXX5.XXX.XXX|DXXXXXXX5.XXX.XXX","Security_UserID":"X-X-X-X"}
0 -
So it isn't really that __raw_ is changed, so much as transformed and therefore puts those values into the JSON string as well, though they don't have any reason to be in the event. I want it to be more like cribl_pipe, and not show in the event.
0 -
So there's two possibilities: when sent to Splunk, your events have no _raw field. Cribl will then auto serialize all fields into a JSON and write that into _raw, because Splunk cannot deal with events without _raw
0 -
Or you're using the JSON serialize of the Windows Pack?
0 -
The Serialize function lets you choose which fields to include in the new serialized data but if you are serializing in a different way then we'd need to see that.
0 -
One of the Cribl pipes it is going through is: Splunk_UF_Windows_XML_WEC_WEF_Sysmon which is I believe the one that makes the JSON data from the event.
0 -
But perhaps I'm mistaken...
0 -
Yeah, look if that pipe has a serialize function at the end
0 -
So I would have to add another `!orig_` to the "Fields to serialize*" then, right?
0 -
Yep
0 -
That was what I have been looking for. Thanks all! It takes a Village.
0 -
I'll send you my kid for a day
0 -
Okay. Ready to receive. :duck_love:
0 -
FYI: That worked.
0
