Did you try sending it through the passthru pipeline?

What destination are you sending to?If it's not Splunk, you can drop fields you don't want going out the door before you transmit.

post processing pipeline/Pack

If I use passthru pipeline, Crible sets metadata fields host and _time

so can't use that

you can remove host and _time fields

use a post processing pipelne to do that

and the eval function

I guess I will have to mask the _raw at the beginning also?

_raw is the raw event I would think you need that

that will work I guess, but I thought there must be a simpler way

I need the data untouched, so no field name

it comes in as raw json, like {data1:"blah"}

in the output I have "_raw":"{bl;ah.."

ok guess i thought _raw was the raw data. Iwill wait for someone from Cribl to chime in.

You can also create a pipeline that doesn't do anything other than remove the fields you don't want passed on. I do that in Packs, becaus they're more portable, but to each his own.

use that instead of a pass-thru. it acts like a pass-thru

but gives you more control.

Thanks for the suggestion of using post-processing. That fixed the metadata stuff.

However, I still have a _raw field

so my incoming message looks like {json_field1:blah...

I need to get rid of the field name _raw

outgoing looks like raw: {json....

I tried masking it

Hey Steve, What source is receiving the data? I'd need to doublecheck - there is probably a better way to do this - but you could just create a 2-function pipeline to parse out the fields from _raw and then remove _raw, _time, and host: