Splunk Search

creating new fields while adding events to the splunk's receivers endpoint


I set the key=value pairs into the body of the REST HTTP request directly using Java REST SDK API.

Example :

RequestMessage reqMsg = new RequestMessage();


reqMsg.getHeader().put("x-splunk-input-mode", "streaming");

reqMsg.setContent("hater = yes, nothater = no");

Then i send the message to the simple reciever rest endpoint.

String path = "/services/receivers/simple?host=localhost&index=main&source=addfields&sourcetype=addedfields";

ResponseMessage resMsg = authService.send(path,reqMsg);

Then, When i opened the search app to see the added data, i saw both the new fields and the raw data which is the key=value pairs that i set directly added.

I only want to see the added key=value pairs below the raw data, not together with the raw data.
When i tried adding the raw data and the key=value pairs to the content body of rest http request like this using java rest sdk api,

reqMsg.setContent("rawdata1 - hater = yes, nothater = no");

i see this added on the search app.

rawdata1 - hater = yes, nothater = no
(for the added raw data value)

the new fields hater and nohater are added below the raw field.
I just want the rawdata1 as the raw data value. Has it to be done using Java logging framework if i'm using java.

Tags (4)
0 Karma


Well the key=value pairs ARE in the raw data, this raw data is what Splunk receives and indexes and then creates the fields from! There's no side channel for creating fields without having them present in indexed data that you're sending. Have you understood the concept of search-time field extractions? Fields are NOT generally "created" the moment when you send data into Splunk. To Splunk, it's all just raw text. It's later on when you search this data that Splunk will create fields.

0 Karma