I'm having trouble getting the JSON under the "message" field recognized in splunk. Is there something simple I'm missing on the Cribl side of things to break this json out of message, or only keep the JSON in the message as the event?
Page 1 / 1
is _raw shown as `a` or `{}`?
α
Try this:Parser function-> source _raw-> destination _raw-> JSON-> extract
now _raw should be `{}`if yes, is message also `{}`, or still `a`?
add another parser-> source _raw.message-> destination _raw,message-> JSON-> extract
_raw is now `{}`message is still `a`
my bet is that the message field was escaped (double escaped?) JSON
with the 2nd parser, is it showing as `{}`?
yes it is
noice
should be good to send to splunk now
(to be safe, i'd probably add a final function, Serialize, to turn _raw (all of it) back into a string):
this time though, it will only be 1 level of stringification, so splunk will handle it
it took a minute but looks great in Splunk now
Thanks for the help!
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.