Re: why am I seeing meta data tags

conf0101 · ‎12-22-2010

I am seeing my log entries prepended with strings like:

_internal\x00\x00\x00\x00\x14MetaData:Sourcetype\x00\x00\x00\x00\x14sourcetype::splunkd

Any idea why is this happening ?

I am forwarding syslogs logs from a remote host using splunk light forwarder.

araitz · ‎12-28-2010

I think what rroberts is trying to say is that you have a 'raw' TCP input set up on the indexer rather than a 'Splunk-to-Splunk' TCP input.

Make sure you set up the listener on the indexer via Manager >> Forwarding and Receiving rather than Manager >> Data Inputs.

rroberts · ‎12-28-2010

If you are forwarding from syslog using a light forwarder to a Splunk indexer you will see source, sourcetype and host in the datastream. If you are forwarding to a 3rd party system you can edit your outputs.conf on your forwarder to just send raw data. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec

sendCookedData = true | false
* If true, events are cooked (have been processed by Splunk and are not raw).
* If false, events are raw and untouched prior to sending.
* Set to false if you are sending to a third-party system.
* Defaults to true.

why am I seeing meta data tags

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases