Splunk Search
Highlighted

why am I seeing meta data tags

Engager

I am seeing my log entries prepended with strings like:

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x14sourcetype::splunkd

Any idea why is this happening ?

I am forwarding syslogs logs from a remote host using splunk light forwarder.

Tags (1)

Re: why am I seeing meta data tags

Splunk Employee
Splunk Employee

If you are forwarding from syslog using a light forwarder to a Splunk indexer you will see source, sourcetype and host in the datastream. If you are forwarding to a 3rd party system you can edit your outputs.conf on your forwarder to just send raw data. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec

sendCookedData = true | false
* If true, events are cooked (have been processed by Splunk and are not raw).
* If false, events are raw and untouched prior to sending.
* Set to false if you are sending to a third-party system.
* Defaults to true.
Highlighted

Re: why am I seeing meta data tags

Splunk Employee
Splunk Employee

I think what rroberts is trying to say is that you have a 'raw' TCP input set up on the indexer rather than a 'Splunk-to-Splunk' TCP input.

Make sure you set up the listener on the indexer via Manager >> Forwarding and Receiving rather than Manager >> Data Inputs.