Hello all. I feel this should be simple, but not working for me. I receive lots of different data types on one port. For one particular type, I want to just forward it on, completely untouched, to a different host on a different port as JSON. I am using the TCP JSON output. The issue is, Cribl is setting the metadata and parsing fields, such as _raw. I don't want any parsing, no fields, no metadata- just the raw data. I must be missing something? Thanks in advance for any suggestions.
Question
Passing data to another host with no extra meta data
+1Did you try sending it through the passthru pipeline?
What destination are you sending to?If it's not Splunk, you can drop fields you don't want going out the door before you transmit.
+1you can remove host and _time fields
+1use a post processing pipelne to do that
+1and the eval function
+1_raw is the raw event I would think you need that
+1ok guess i thought _raw was the raw data. Iwill wait for someone from Cribl to chime in.
You can also create a pipeline that doesn't do anything other than remove the fields you don't want passed on. I do that in Packs, becaus they're more portable, but to each his own.
use that instead of a pass-thru. it acts like a pass-thru
but gives you more control.
Hey Steve, What source is receiving the data? I'd need to doublecheck - there is probably a better way to do this - but you could just create a 2-function pipeline to parse out the fields from _raw and then remove _raw, _time, and host:
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.