I am trying to send json format data from consuming from kafka to splunk forwarders over tcp..
- If I send json data from kafka {"a": "b"} over tcp (I have a module that sends json to tcp on port 9999)
- which will be consumed by universal forwarder
- and then send this data to splunk,
when I search this data on splunk it shows up as {"event":{"a":"b"}}
**Why json is getting wrapped inside "event" ? how to avoid it ?**
splunkforwarder/etc/system/local/inputs.conf
[tcp://9999]
disabled = 0
_TCP_ROUTING = index1
sourcetype = fromLocal
splunkforwarder/etc/system/local/outputs.conf
[tcpout:index1]
server=xx.xxx.xxx.xxx:9997
Splunk version: 6.6.2
UniversalForwarder version: 6.6.2
↧