Can I add a field that isn't added to _raw, like not show up in the JSON that is the event?
Question
Can I add a field that isn’t added to _raw, like not show up in the JSON that is the event?
static data or where would the field come from?
I mean, you can just set any field to an value, anything that is not _raw (and the few Splunk default fields) will end up as additional index time fields in Splunk
I'm setting an orig_index for tracking purposes and it is showing up in the JSON for the events.
That value is from the index specified on the UF when it comes into Cribl. The data is being forked, so one splunk instance needs the original index and the other needs a new, different index, but I need to keep track of that index for now.
Are you using the Serialize function to create the JSON or is the JSON coming in your original event? It's not clear.
These are added to the event, set in an eval in Cribl, which is also serializing the events:{`"orig_host":"DXXXXXXX5","orig_index":"XXXXX_windows_multi","orig_source":"XmlWinEventLog:Application"`,"Provider_Name":"Trellix Endpoint Security","EventID_Qualifiers":"8192","EventID__value":"3","Level":"2","Task":"0","Keywords":"0x80000000000000","EventRecordID":"61646","Channel":"Application","Computer":"http://DXXXXXXX5.XXX.XXX|DXXXXXXX5.XXX.XXX","Security_UserID":"X-X-X-X"}
So there's two possibilities: when sent to Splunk, your events have no _raw field. Cribl will then auto serialize all fields into a JSON and write that into _raw, because Splunk cannot deal with events without _raw
So it isn't really that __raw_ is changed, so much as transformed and therefore puts those values into the JSON string as well, though they don't have any reason to be in the event. I want it to be more like cribl_pipe, and not show in the event.
The Serialize function lets you choose which fields to include in the new serialized data but if you are serializing in a different way then we'd need to see that.
One of the Cribl pipes it is going through is:Splunk_UF_Windows_XML_WEC_WEF_Sysmonwhich is I believe the one that makes the JSON data from the event.
But perhaps I'm mistaken...
So I would have to add another `!orig_` to the "Fields to serialize*" then, right?
That was what I have been looking for. Thanks all! It takes a Village.
Okay. Ready to receive. :duck_love:
FYI: That worked. 
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.