https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513444#M62895 <P>Thanks for the info.&nbsp; &nbsp;can i discard or manipulate fields in an event.&nbsp; &nbsp;I'm going to speak logstash here and mutate to delete "reallybigfieldIdon'tcareabout"</P> Mon, 10 Aug 2020 20:47:29 GMT zippo706 2020-08-10T20:47:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513421#M62892 <P>I"d like to send audit data through an event hub.&nbsp; &nbsp;However, i want my heavy fwd'r to not send all fields to splunk as 75% of is will be useless and take up all my ingesting quota.&nbsp;</P><P>Is there an easy way to do this?&nbsp; The data coming in is Azure SQL where i don't beleive i can change data going into the hub.</P> Mon, 10 Aug 2020 19:38:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513421#M62892 zippo706 2020-08-10T19:38:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513440#M62894 <P>If you want to discard entire events, see&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P><P>If you want to discard parts of events, use SEDCMD in props.conf.</P><LI-CODE lang="markup">[mysourcetype] SEDCMD-winevent = s/This event is generated.*//</LI-CODE> Mon, 10 Aug 2020 20:38:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513440#M62894 richgalloway 2020-08-10T20:38:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513444#M62895 <P>Thanks for the info.&nbsp; &nbsp;can i discard or manipulate fields in an event.&nbsp; &nbsp;I'm going to speak logstash here and mutate to delete "reallybigfieldIdon'tcareabout"</P> Mon, 10 Aug 2020 20:47:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513444#M62895 zippo706 2020-08-10T20:47:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513471#M62898 Yes, you can do that with SEDCMD. It will be on the raw event, however, since fields haven't been extracted when SEDCMD runs. Tue, 11 Aug 2020 00:29:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513471#M62898 richgalloway 2020-08-11T00:29:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513744#M62914 <P>Thank you, much appreciated.</P> Wed, 12 Aug 2020 16:02:27 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Limiting-ingested-fields-in-Azure-Event-Hubs/m-p/513744#M62914 zippo706 2020-08-12T16:02:27Z