Splunk Search

why am I seeing meta data tags

conf0101
Engager

I am seeing my log entries prepended with strings like:

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x14sourcetype::splunkd

Any idea why is this happening ?

I am forwarding syslogs logs from a remote host using splunk light forwarder.

Tags (1)

araitz
Splunk Employee
Splunk Employee

I think what rroberts is trying to say is that you have a 'raw' TCP input set up on the indexer rather than a 'Splunk-to-Splunk' TCP input.

Make sure you set up the listener on the indexer via Manager >> Forwarding and Receiving rather than Manager >> Data Inputs.

rroberts
Splunk Employee
Splunk Employee

If you are forwarding from syslog using a light forwarder to a Splunk indexer you will see source, sourcetype and host in the datastream. If you are forwarding to a 3rd party system you can edit your outputs.conf on your forwarder to just send raw data. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec

sendCookedData = true | false
* If true, events are cooked (have been processed by Splunk and are not raw).
* If false, events are raw and untouched prior to sending.
* Set to false if you are sending to a third-party system.
* Defaults to true.
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...