Open SankoZaha opened 2 years ago
Thank you for your feedback. This sounds like some debug data being sent unintentionally. I have added this issue to our internal product backlog as TS-698.
@SankoZaha and any others that are experiencing this still with Splunk on the latest TS code: Another option while this is still getting sorted is to move your consumer type from Splunk to Generic_HTTP (this does not send the 'originalRawData' in the payload). The tuning unfortunately does not end here. This will also require some extra work with iRule logging and/or traffic profiles/JMESpath depending on your requirements. See the following guides.
The upside here is with the generic consumer you really open the door to how customized you want to get with your logging. The downside is that if you want something that will just do it all like the Splunk consumer then this is not the consumer for you.
All else, we will just have to hurry up and wait to find out what Telemetry is being replaced with.
https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/schema-reference.html
Environment
Summary
When sending a log to the consumer (Splunk), a field named "OriginalRawData" is added by Telemetry Streaming. This field contains the "entire log" in Syslog format, which is not ideal because it consumes twice the bandwidth. There doesn't seem to be any way to remove this field at this time.
Steps To Reproduce
Steps to reproduce the behavior:
Submit the following declaration:
Capture the Telemetry Streaming output to verify the addition of the "OriginalRawData" field:
Expected Behavior
Be able to send TS events without the OriginalRawData field.
Actual Behavior
As explained, at each event sent, the "OiginalRawData" field is added.