Can I add a field that isn’t added to _raw, like not show up in the JSON that is the event?

Jon Rust

Can I add a field that isn't added to _raw, like not show up in the JSON that is the event?

Tony Reinke

static data or where would the field come from?

xpac xpac

I mean, you can just set any field to an value, anything that is not _raw (and the few Splunk default fields) will end up as additional index time fields in Splunk

Jon Rust

I'm setting an orig_index for tracking purposes and it is showing up in the JSON for the events.

Jon Rust

That value is from the index specified on the UF when it comes into Cribl. The data is being forked, so one splunk instance needs the original index and the other needs a new, different index, but I need to keep track of that index for now.

Brandon McCombs

Are you using the Serialize function to create the JSON or is the JSON coming in your original event? It's not clear.

Jon Rust

These are added to the event, set in an eval in Cribl, which is also serializing the events: {`"orig_host":"DXXXXXXX5","orig_index":"XXXXX_windows_multi","orig_source":"XmlWinEventLog:Application"`,"Provider_Name":"Trellix Endpoint Security","EventID_Qualifiers":"8192","EventID__value":"3","Level":"2","Task":"0","Keywords":"0x80000000000000","EventRecordID":"61646","Channel":"Application","Computer":"http://DXXXXXXX5.XXX.XXX|DXXXXXXX5.XXX.XXX","Security_UserID":"X-X-X-X"}

Jon Rust

So it isn't really that __raw_ is changed, so much as transformed and therefore puts those values into the JSON string as well, though they don't have any reason to be in the event. I want it to be more like cribl_pipe, and not show in the event.

xpac xpac

So there's two possibilities: when sent to Splunk, your events have no _raw field. Cribl will then auto serialize all fields into a JSON and write that into _raw, because Splunk cannot deal with events without _raw

xpac xpac

Or you're using the JSON serialize of the Windows Pack?

Brandon McCombs

The Serialize function lets you choose which fields to include in the new serialized data but if you are serializing in a different way then we'd need to see that.

Jon Rust

One of the Cribl pipes it is going through is: Splunk_UF_Windows_XML_WEC_WEF_Sysmon which is I believe the one that makes the JSON data from the event.

Jon Rust

But perhaps I'm mistaken...

xpac xpac

Yeah, look if that pipe has a serialize function at the end

Jon Rust

So I would have to add another `!orig_` to the "Fields to serialize*" then, right?

xpac xpac

Yep

Jon Rust

That was what I have been looking for. Thanks all! It takes a Village.

xpac xpac

I'll send you my kid for a day

Jon Rust

Okay. Ready to receive. :duck_love:

Jon Rust

FYI: That worked.