I'm having trouble getting the JSON under the "message" field recognized in splunk. Is there something simple I'm missing on the Cribl side of things to break this json out of message, or only keep the JSON in the message as the event?
Question
Passing the message field in JSON to Splunk
is _raw shown as `a` or `{}`?
Try this:Parser function-> source _raw-> destination _raw-> JSON-> extract
now _raw should be `{}`if yes, is message also `{}`, or still `a`?
add another parser-> source _raw.message-> destination _raw,message-> JSON-> extract
my bet is that the message field was escaped (double escaped?) JSON
with the 2nd parser, is it showing as `{}`?
noice
should be good to send to splunk now
(to be safe, i'd probably add a final function, Serialize, to turn _raw (all of it) back into a string):
this time though, it will only be 1 level of stringification, so splunk will handle it
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.