We have therefore added support for that last remaining Splunk HEC metadata field. We also heard from customers who wanted to use Splunk HEC ‘fields’ metadata to set custom index-time field extractions in Splunk. For example, if your UDF is processing a log entry from Cloud Logging, a reference to obj.protoPayload needs to be updated to. In your function, assuming you save the JSON-parsed version of the input argument in obj variable, the body payload is now nested in obj.data. If you’re updating your pipelines from includePubsubMessage=false to includePubsubMessage=true and you are using a UDF function, make sure to update your UDF implementation since the function’s input argument is now the PubSub message wrapper rather that the underlying message body, that is the nested data field. Note on updating existing pipelines with includePubsubMessage: Those CIM models are required for compatibility with premium applications like Splunk Enterprise Security (ES) and IT Service Intelligence (ITSI) without any extra effort on the customer, as long as they have set includePubsubMessage=true in their Splunk Dataflow pipelines. ![]() Customers can readily take advantage of all the sourcetypes in Splunk Add-on including Common Information Model (CIM) compliance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |