Duplicate metadata fields in Splunk when streaming logs via Vector #25462
Unanswered
ShravanAccept
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Duplicate metadata fields in Splunk when sending Appian logs via Vector
I’m streaming Appian logs to Splunk using Vector. The log events themselves look fine, but the metadata fields are being duplicated.
This started happening after I changed the sourcetype indexing in sinks to a different relevant field from the transform file. Since then, Splunk shows each metadata value twice.
I tried adjusting the sink configuration by trial and error, but I’m not sure how Splunk is interpreting these fields or why they’re duplicated.
Is this a known behavior? How can I configure Vector so that the metadata fields are not duplicated when sending Appian logs?
If needed i can add config also here
Vector Config
type = "splunk_hec_logs"
We are using the above sink
Vector Logs
No response
Beta Was this translation helpful? Give feedback.
All reactions