Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About Raffaele53
Raffaele53
Loves-to-Learn
Member since:
09-03-2025
09-03-2025
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-03-2025 |
Activity Feed
- Posted Re: Duplicate field values in Splunk events from Cribl on Getting Data In. 09-04-2025 04:48 AM
- Posted Re: Duplicate field values in Splunk events from Cribl on Getting Data In. 09-04-2025 12:25 AM
- Posted Re: Duplicate field values in Splunk events from Cribl on Getting Data In. 09-04-2025 12:20 AM
- Posted Duplicate field values in Splunk events from Cribl on Getting Data In. 09-03-2025 06:13 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
09-04-2025
04:48 AM
I tried using Indexed Extractions to see if anything would change, but it didn’t work. On the Cribl side, I only see the event going out and nothing else. Thanks for the help—hopefully someone’s run into this before and can help me!
... View more
09-04-2025
12:25 AM
Hi, Thanks for your reply. I shared the raw events going out from Cribl and coming into Splunk in my other message. On the Cribl side, I can only see the raw events being sent to Splunk, while field extraction can only be checked on the Splunk side. It’s strange because if I don’t extract fields from nested "records" field, everything works correctly. It’s as if Cribl leaves some old metadata in the events, referring to fields that were previously modified.
... View more
09-04-2025
12:20 AM
Sorry, I forgot to include the raw event going out from Cribl and coming into Splunk. Raw event extracted from Splunk search: {"cribl":"yes","security_event_hub":"yes","NetworkMessageId":"xxx","ReportId":"xxx","Timestamp":"2025-09-04T07:04:14.0000000Z","Url":"xxx","UrlDomain":"xxx","UrlLocation":"Body","TimeGenerated":"2025-09-04T07:04:14.0000000Z","_ItemId":"xxx","TenantId":"xxx","_TimeReceived":"2025-09-04T07:07:00.1639029Z","_Internal_WorkspaceResourceId":"xxx","Type":"EmailUrlInfo"} Each field and its value appear only once. On Cribl, the event looks the same: {
"_time": 1756969933.064,
"cribl": "yes",
"security_event_hub": "yes",
"NetworkMessageId": "xxx",
"ReportId": "xxx",
"Timestamp": "2025-09-04T07:08:47.0000000Z",
"Url": "xxx",
"UrlDomain": "xxx",
"UrlLocation": "Body",
"TimeGenerated": "2025-09-04T07:08:47.0000000Z",
"_ItemId": "xxx",
"TenantId": "xxx",
"_TimeReceived": "2025-09-04T07:12:07.2054241Z",
"_Internal_WorkspaceResourceId": "xxx",
"Type": "EmailUrlInfo",
"cribl_pipe": "Azure_Event_Hub_processing"
} I tried different combinations of KV_MODE, AUTO_KV_JSON, and INDEXED_EXTRACTIONS: On the Heavy Forwarder: KV_MODE=JSON, then KV_MODE=none INDEXED_EXTRACTIONS=JSON AUTO_KV_JSON=none and also all of them combined Afterwards, I tried: On the Search Head: KV_MODE=none and AUTO_KV_JSON=none On the Heavy Forwarder: INDEXED_EXTRACTIONS=JSON But nothing changed. On Cribl, I also tried several functions to delete and recreate fields/values, but that didn’t work either. Do you have any suggestions? Thanks a lot!
... View more
09-03-2025
06:13 AM
Hello, I’m using Cribl Cloud to pull JSON events from an Azure Event Hub and forward them to Splunk via HEC. Each incoming event (on Cribl) contains a nested array field called records, for example: {
"records": [
{
"FileName": "xx",
"FileType": "xx",
"NetworkMessageId": "xx",
"RecipientEmailAddress": "xx",
"RecipientObjectId": "xx",
"ReportId": "xx",
"SHA256": "xx",
"SenderDisplayName": "xx",
"SenderObjectId": "x",
"SenderFromAddress": "x",
"FileSize": x,
"Timestamp": "xx",
"TimeGenerated": "xx",
"_ItemId": "xx",
"TenantId": "xx",
"_TimeReceived": "xx",
"_Internal_WorkspaceResourceId": "xx",
"Type": "xx"
},
{
"FileName": "xx",
"FileType": "xx",
"NetworkMessageId": "xx",
"RecipientEmailAddress": "xx",
"RecipientObjectId": "xx",
"ReportId": "xx",
"SHA256": "xx",
"SenderDisplayName": "xx",
"SenderObjectId": "x",
"SenderFromAddress": "x",
"FileSize": x,
"Timestamp": "xx",
"TimeGenerated": "xx",
"_ItemId": "xx",
"TenantId": "xx",
"_TimeReceived": "xx",
"_Internal_WorkspaceResourceId": "xx",
"Type": "xx"
},
{
"FileName": "xx",
"FileType": "xx",
"NetworkMessageId": "xx",
"RecipientEmailAddress": "xx",
"RecipientObjectId": "xx",
"ReportId": "xx",
"SHA256": "xx",
"SenderDisplayName": "xx",
"SenderObjectId": "x",
"SenderFromAddress": "x",
"FileSize": x,
"Timestamp": "xx",
"TimeGenerated": "xx",
"_ItemId": "xx",
"TenantId": "xx",
"_TimeReceived": "xx",
"_Internal_WorkspaceResourceId": "xx",
"Type": "xx"
}
],
"_time": 1756902850.057,
"cribl": "yes",
"security_event_hub": "yes"
} My goal is to split each element of the records array into a separate, flat event. Here’s what I’ve tried: Unroll function (Cribl) on records to produce individual events Flatten function (Cribl) to promote nested fields and delete records array In Splunk, each field’s values are duplicated (and sometimes triplicated), as shown here: (censored values are equals between them) I’ve identified that extracting nested values is causing this anomaly in Splunk. I’ve tried numerous approaches to resolve it: Replaced the Flatten function with an Eval expression like that (Cribl): Object.assign(__e, Object.assign({}, __e, __e.rec || {})); delete __e.rec; delete __e.records; Tested various JavaScript snippets in Code functions (Cribl) Used JSON Unroll and JSON Decode functions (Cribl) Toggled KV_MODE, AUTO_KV_JSON, and INDEXED_EXTRACTIONS on Heavy Forwarders and Search Heads None of these solutions work consistently; in some cases values were even triplicated. Do you have any suggestions to resolve this issue? Thank you in advance for any insights or working examples.
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-03-2025
11:43 PM
|
