L.s.,
Maybe easy answer for all of you . We have got an HEC input and when i capture the live data i see as host the Cribl worker which is recieving the data. Why is that host filled?
In the message itself there is also a host, but the right one. So i send the message in _raw to Splunk and delete the rest (also the wrong host). But tadaa.. there are two host in Splunk. The reciever Cribl and the one from the message.
Any clue why?
Thanks in advance
Jari
Can you share a sample of the JSON?
I have attached a capture of the input (so some extra fields). I have stripped it from the private parts and renamed the host in WRONGHOST and RIGHTHOST.
This is from the source itself. So what is the WORNGHOST doing there? I can understand the RIGHTHOST later on after the pipeline, that is supposed to be. The input is a hec source (which is fed by a Cribl by the way…)
I can rewrite the host in the pipeline, but when i export it to Splunk he sees 2 the same hostanmes in host.
Thanks in advance
The RIGHTHOST value is inside the message, not a field. WRONGHOST is in the host field. If you want to replace the host field with the value of RIGHTHOST, you'd do this in a pipeline with one of Eval, Regex Extract, Parse, etc.
(Your JSON is busted. Dunno if it started out that way. If you intend to use the data as JSON, you'll need to remove the final }from the _raw payload.)
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.