Hi @AbhinavRanjan, how dinamic data source fields are generated? is it possible for you to use a different name? if not you have to manipulate your multivalue to always take the first or the second, something like this: ...
| eval source=mvindex(source,0)
| table _time,cluster_name,namespaceName,podName,policyName,message, severity,action,tags,resource,source, Ciao. Giuseppe
... View more
I am using HEC to push the data to Splunk, and in the HEC we have a field Source, And the log which I am forwarding to Splunk too have a field name Source.
The issue I am facing is, that both the source name gets merged and on each log, I can see the same, two values for the source.
I don't want to change the field of my log, Is there a way I can change something on HEC?
... View more