I am trying to send json format data from consuming from kafka to Splunk forwarders over TCP..
- If I send json data from kafka {"a": "b"} over tcp (I have a module that sends json to tcp on port 9999)
- It is consumed by universal forwarder and then sends this data to Splunk.
When I search this data on Splunk it shows up as {"event":{"a":"b"}}
**Why json is getting wrapped inside "event" ? how to avoid it ?**
splunkforwarder/etc/system/local/inputs.conf
[tcp://9999]
disabled = 0
_TCP_ROUTING = index1
sourcetype = fromLocal
splunkforwarder/etc/system/local/outputs.conf
[tcpout:index1]
server=xx.xxx.xxx.xxx:9997
Splunk version: 6.6.2
UniversalForwarder version: 6.6.2
↧