We have updated our Terms of Service, Code of Conduct, and Addendum.

Can I add a field that isn’t added to _raw, like not show up in the JSON that is the event?

Options

Can I add a field that isn't added to _raw, like not show up in the JSON that is the event?

Answers

  • Tony Reinke
    Options

    static data or where would the field come from?

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭
    Options

    I mean, you can just set any field to an value, anything that is not _raw (and the few Splunk default fields) will end up as additional index time fields in Splunk

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    I'm setting an orig_index for tracking purposes and it is showing up in the JSON for the events.

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    That value is from the index specified on the UF when it comes into Cribl. The data is being forked, so one splunk instance needs the original index and the other needs a new, different index, but I need to keep track of that index for now.

  • Brandon McCombs
    Options

    Are you using the Serialize function to create the JSON or is the JSON coming in your original event? It's not clear.

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    These are added to the event, set in an eval in Cribl, which is also serializing the events: {`"orig_host":"DXXXXXXX5","orig_index":"XXXXX_windows_multi","orig_source":"XmlWinEventLog:Application"`,"Provider_Name":"Trellix Endpoint Security","EventID_Qualifiers":"8192","EventID__value":"3","Level":"2","Task":"0","Keywords":"0x80000000000000","EventRecordID":"61646","Channel":"Application","Computer":"http://DXXXXXXX5.XXX.XXX|DXXXXXXX5.XXX.XXX","Security_UserID":"X-X-X-X"}

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    So it isn't really that __raw_ is changed, so much as transformed and therefore puts those values into the JSON string as well, though they don't have any reason to be in the event. I want it to be more like cribl_pipe, and not show in the event.

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭
    Options

    So there's two possibilities: when sent to Splunk, your events have no _raw field. Cribl will then auto serialize all fields into a JSON and write that into _raw, because Splunk cannot deal with events without _raw

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭
    Options

    Or you're using the JSON serialize of the Windows Pack?

  • Brandon McCombs
    Options

    The Serialize function lets you choose which fields to include in the new serialized data but if you are serializing in a different way then we'd need to see that.

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    One of the Cribl pipes it is going through is: Splunk_UF_Windows_XML_WEC_WEF_Sysmon which is I believe the one that makes the JSON data from the event.

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    But perhaps I'm mistaken...

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭
    Options

    Yeah, look if that pipe has a serialize function at the end

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    So I would have to add another `!orig_` to the "Fields to serialize*" then, right?

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭
    Options

    Yep

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    That was what I have been looking for. Thanks all! It takes a Village.

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭
    Options

    I'll send you my kid for a day :grin:

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    Okay. Ready to receive. :duck_love:

  • Jon Rust
    Jon Rust Posts: 440 mod
    Options

    FYI: That worked. :)