Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

creating new fields while adding events to the splunk's receivers endpoint

misteryuku
Communicator
‎03-22-2012 10:13 PM

I set the key=value pairs into the body of the REST HTTP request directly using Java REST SDK API.

Example :

RequestMessage reqMsg = new RequestMessage();

reqMsg.setMethod("post");

reqMsg.getHeader().put("x-splunk-input-mode", "streaming");

reqMsg.setContent("hater = yes, nothater = no");

Then i send the message to the simple reciever rest endpoint.

String path = "/services/receivers/simple?host=localhost&index=main&source=addfields&sourcetype=addedfields";

ResponseMessage resMsg = authService.send(path,reqMsg);

Then, When i opened the search app to see the added data, i saw both the new fields and the raw data which is the key=value pairs that i set directly added.

I only want to see the added key=value pairs below the raw data, not together with the raw data.
When i tried adding the raw data and the key=value pairs to the content body of rest http request like this using java rest sdk api,

reqMsg.setContent("rawdata1 - hater = yes, nothater = no");

i see this added on the search app.

rawdata1 - hater = yes, nothater = no
(for the added raw data value)

the new fields hater and nohater are added below the raw field.
I just want the rawdata1 as the raw data value. Has it to be done using Java logging framework if i'm using java.

Tags (4)
0 Karma
Reply

Ayn
Legend
‎03-22-2012 10:47 PM

Well the key=value pairs ARE in the raw data, this raw data is what Splunk receives and indexes and then creates the fields from! There's no side channel for creating fields without having them present in indexed data that you're sending. Have you understood the concept of search-time field extractions? Fields are NOT generally "created" the moment when you send data into Splunk. To Splunk, it's all just raw text. It's later on when you search this data that Splunk will create fields.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...