You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello and please forgive me if this is not the appropriate place to ask this question. I would like to know if it's possible to add configuration to the daemon.json file to completely remove the value of the 'source' field from the event because I would like to let Splunk automatically set the source at index time. Reading the documentation, I see there is an optional flag 'splunk-source' where I can change the value. But I don't want to change the value, I would like to completely remove it from the POST body. Is there way to do this in the configuration file? It seems all the doc examples show a value for that field.
Here's what our current Splunk config looks like. I'm not the app developer here, so this information was provided to me when I requested the configuration. All the variables are defined and the event is being indexed as I would expect. I just want to remove the source field from the POST body.
"logConfiguration": {
"logDriver": "splunk",
"options": {
"splunk-url": "${splunk_url}",
"splunk-index": "${splunk_index}",
"splunk-insecureskipverify": "true",
"splunk-sourcetype": "${splunk_sourcetype}",
"splunk-format": "json"
},
Thanks in advance.
The text was updated successfully, but these errors were encountered:
Hello and please forgive me if this is not the appropriate place to ask this question. I would like to know if it's possible to add configuration to the daemon.json file to completely remove the value of the 'source' field from the event because I would like to let Splunk automatically set the source at index time. Reading the documentation, I see there is an optional flag 'splunk-source' where I can change the value. But I don't want to change the value, I would like to completely remove it from the POST body. Is there way to do this in the configuration file? It seems all the doc examples show a value for that field.
Here's what our current Splunk config looks like. I'm not the app developer here, so this information was provided to me when I requested the configuration. All the variables are defined and the event is being indexed as I would expect. I just want to remove the source field from the POST body.
"logConfiguration": {
"logDriver": "splunk",
"options": {
"splunk-url": "${splunk_url}",
"splunk-index": "${splunk_index}",
"splunk-insecureskipverify": "true",
"splunk-sourcetype": "${splunk_sourcetype}",
"splunk-format": "json"
},
Thanks in advance.
The text was updated successfully, but these errors were encountered: