host in hec events

Jari Weststrate · December 10

L.s.,

Maybe easy answer for all of you . We have got an HEC input and when i capture the live data i see as host the Cribl worker which is recieving the data. Why is that host filled?

In the message itself there is also a host, but the right one. So i send the message in _raw to Splunk and delete the rest (also the wrong host). But tadaa.. there are two host in Splunk. The reciever Cribl and the one from the message.

Any clue why?

Thanks in advance

Jari

Jon Rust · December 10

Can you share a sample of the JSON?

Jari Weststrate · December 11

hecin.txt

I have attached a capture of the input (so some extra fields). I have stripped it from the private parts and renamed the host in WRONGHOST and RIGHTHOST.

This is from the source itself. So what is the WORNGHOST doing there? I can understand the RIGHTHOST later on after the pipeline, that is supposed to be. The input is a hec source (which is fed by a Cribl by the way…)

I can rewrite the host in the pipeline, but when i export it to Splunk he sees 2 the same hostanmes in host.

Thanks in advance

Jon Rust · December 11

The RIGHTHOST value is inside the message, not a field. WRONGHOST is in the host field. If you want to replace the host field with the value of RIGHTHOST, you'd do this in a pipeline with one of Eval, Regex Extract, Parse, etc.

(Your JSON is busted. Dunno if it started out that way. If you intend to use the data as JSON, you'll need to remove the final }from the _raw payload.)

host in hec events

Answers

Categories