I'm trying to serialize into JSON and just keep the _raw field left over after bringing all the fields together. How do I prevent the double underscore internal Cribl fields from being inserted into the _raw field I'm creating?
Question
How do I prevent the double underscore internal Cribl fields from being inserted into the _raw?
https://docs.cribl.io/stream/introduction-reference#wildcard-lists|https://docs.cribl.io/stream/introduction-reference#wildcard-lists negate them with ! In the Fields to serialize field.
It didn't seem to work within the serializing function. I had to add an eval before the serialize and explicitly remove all double underscore fields that way
Since I'm not seeing them until I forward them to Splunk. They don't show up in my previews of my log samples
in the fields to serialize field:`!* !cribl* *`
yep! let me know how it goes
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.