Splunk Search

why am I seeing meta data tags

conf0101
Engager

I am seeing my log entries prepended with strings like:

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x14sourcetype::splunkd

Any idea why is this happening ?

I am forwarding syslogs logs from a remote host using splunk light forwarder.

Tags (1)

araitz
Splunk Employee
Splunk Employee

I think what rroberts is trying to say is that you have a 'raw' TCP input set up on the indexer rather than a 'Splunk-to-Splunk' TCP input.

Make sure you set up the listener on the indexer via Manager >> Forwarding and Receiving rather than Manager >> Data Inputs.

rroberts
Splunk Employee
Splunk Employee

If you are forwarding from syslog using a light forwarder to a Splunk indexer you will see source, sourcetype and host in the datastream. If you are forwarding to a 3rd party system you can edit your outputs.conf on your forwarder to just send raw data. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec

sendCookedData = true | false
* If true, events are cooked (have been processed by Splunk and are not raw).
* If false, events are raw and untouched prior to sending.
* Set to false if you are sending to a third-party system.
* Defaults to true.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...