I'm trying to minimize the amount of data from Kubernetes JSON events that are being indexed into my Splunk instance. Rather than having the whole JSON which includes headers and mostly unimportant metadata, I want to only display the raw text payload in my Splunk event viewer. However, this filters out the metadata that I actually find useful so I created a field extraction transformation in an attempt to add the metadata I need to my events before doing my filtering logic.
I've tried the above, but it doesn't work when they are in combination.
Is it possible to add, for example key1=value1 in _meta and have this field extracted for all events even if the events would not have it in _raw?
↧