Splunk Search

why am I seeing meta data tags

conf0101
Engager

I am seeing my log entries prepended with strings like:

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x14sourcetype::splunkd

Any idea why is this happening ?

I am forwarding syslogs logs from a remote host using splunk light forwarder.

Tags (1)

araitz
Splunk Employee
Splunk Employee

I think what rroberts is trying to say is that you have a 'raw' TCP input set up on the indexer rather than a 'Splunk-to-Splunk' TCP input.

Make sure you set up the listener on the indexer via Manager >> Forwarding and Receiving rather than Manager >> Data Inputs.

rroberts
Splunk Employee
Splunk Employee

If you are forwarding from syslog using a light forwarder to a Splunk indexer you will see source, sourcetype and host in the datastream. If you are forwarding to a 3rd party system you can edit your outputs.conf on your forwarder to just send raw data. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec

sendCookedData = true | false
* If true, events are cooked (have been processed by Splunk and are not raw).
* If false, events are raw and untouched prior to sending.
* Set to false if you are sending to a third-party system.
* Defaults to true.
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...