I'm trying to serialize into JSON and just keep the _raw field left over after bringing all the fields together. How do I prevent the double underscore internal Cribl fields from being inserted into the _raw field I'm creating?
Page 1 / 1
https://docs.cribl.io/stream/introduction-reference#wildcard-lists|https://docs.cribl.io/stream/introduction-reference#wildcard-lists negate them with ! In the Fields to serialize field.
It didn't seem to work within the serializing function. I had to add an eval before the serialize and explicitly remove all double underscore fields that way
Kind of annoying
Since I'm not seeing them until I forward them to Splunk. They don't show up in my previews of my log samples
in the fields to serialize field:`!* !cribl* *`
I see now. I had the wildcard first but you need to put all excludes first.
yep! let me know how it goes
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.