We have updated our Terms of Service, Code of Conduct, and Addendum.

Cribl Parser Question

Sanvy Ronny Sabapathee
Sanvy Ronny Sabapathee Posts: 2
in Stream

Hiya

I have a pipeline set up from a datagen source (business events) - see attached first image


As you can see the event has fields, now I want to remove fields - source and sourcetype - no matter what I try in the "fields to remove" nothing gets removed (see output) below

Screenshot 2024-03-07 at 2.14.10 pm.png
Screenshot 2024-03-07 at 2.17.00 pm.png

I am trying to get the UI to show in red - the fields that are to be dropped

here is something even weirder - when I do "!(name.startsWith('source'))" for filter by expression - it shows me the new JSON payload but the UI still has source and sourcetype in it.

Answers

  • Wayne Gillo
    Wayne Gillo Posts: 4

    Two suggestions:

    1. Put an Eval function in that will change the unwanted fields to undefined. ie: sourcetype —> undefined, source —> undefined
    2. Have you tried adding in a !source !sourcetype before the list of fields?

  • Wayne Gillo
    Wayne Gillo Posts: 4

    Yeah, that worked for me. I defined a preprocessing pipeline that does this:

    image.png
    image.png
    image.png

    and finally in Splunk:

    image.png

  • Sanvy Ronny Sabapathee
    Sanvy Ronny Sabapathee Posts: 2

    Thank you kindly I will give that a shot

Categories