https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201226#M39792 <P>Hi Splunkers:</P> <P>I have an issue filtering out a field called <STRONG>Audit ID</STRONG>. Each email is assigned this number as it passes thru a mail exchange, so the conventional wisdom would be that if I search on one Audit ID, but we are getting several audit id results from other event records.</P> <P>I have created transforms to deal with various event records containing mailing activity such as mail delivery, accept, order, sender, subject, trackerid, verdict etc. I want this audit id field to be only indexed by Splunk for verdict ID and ignore all other event records.</P> <P>This audit id field exists on the other event records pertaining to mail delivery, accept, order, sender, subject, trackerid etc. How do I filter this field in Splunk so that it only shows this field 'audit_id' from 'verdict' event records and not others.</P> <P>Thanks</P> <P>Mohammed</P> Mon, 01 Aug 2016 16:06:10 GMT mohammed7860 2016-08-01T16:06:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201226#M39792 <P>Hi Splunkers:</P> <P>I have an issue filtering out a field called <STRONG>Audit ID</STRONG>. Each email is assigned this number as it passes thru a mail exchange, so the conventional wisdom would be that if I search on one Audit ID, but we are getting several audit id results from other event records.</P> <P>I have created transforms to deal with various event records containing mailing activity such as mail delivery, accept, order, sender, subject, trackerid, verdict etc. I want this audit id field to be only indexed by Splunk for verdict ID and ignore all other event records.</P> <P>This audit id field exists on the other event records pertaining to mail delivery, accept, order, sender, subject, trackerid etc. How do I filter this field in Splunk so that it only shows this field 'audit_id' from 'verdict' event records and not others.</P> <P>Thanks</P> <P>Mohammed</P> Mon, 01 Aug 2016 16:06:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201226#M39792 mohammed7860 2016-08-01T16:06:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201227#M39793 <P>Can you post the actual raw events that want to ingest and that you don't want to ingest?<BR /> Highlight the match terms as well.</P> Mon, 01 Aug 2016 17:34:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201227#M39793 somesoni2 2016-08-01T17:34:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201228#M39794 <P>I want to filter out only the audit_id from the below logs (audit_id) :</P> <P>Aug 2 07:24:12 ecelerity[port_no]: |****|ACCEPT|</P> <P>I want to keep all the event records below as is appearing in Splunk:</P> <P>Aug 2 07:26:14 bmserver[port_no]: |****|VERDICT||none|default|default</P> Tue, 29 Sep 2020 10:27:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201228#M39794 mohammed7860 2020-09-29T10:27:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201229#M39795 <P>Try this in your props.conf</P> <PRE><CODE>SEDCMD-hideauditid = s/(\w+-\w+-\w{2}-\w+)\|(?!VERDICT)/xxx-xxx-x-xxx|/g </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1.9/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.1.9/Data/Anonymizedatausingconfigurationfiles</A></P> Tue, 02 Aug 2016 13:55:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201229#M39795 sundareshr 2016-08-02T13:55:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201230#M39796 <P>You want to filter the whole events which has that kind of structure shown by event 1 OR just want to mask the audit_id for the events?</P> Tue, 02 Aug 2016 14:09:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201230#M39796 somesoni2 2016-08-02T14:09:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201231#M39797 <P>I just want to mask out the audit_id for the events for the first data type:</P> <P>Aug 2 07:24:12 gk-c84-email ecelerity[2648]: 1470140652|38008f54-df7ff70000000a58-a3-57a090ec9bad|ACCEPT|56.0.143.4:41611</P> Tue, 02 Aug 2016 18:56:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201231#M39797 mohammed7860 2016-08-02T18:56:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201232#M39798 <P>Try this</P> <P>props.conf on your Indexer/Heavy forwarder</P> <PRE><CODE>[yoursourcetype] SEDCMD-maskAuditId = s/^([^\|]+\|)([^\|]+\|)([^\|]+\|)([^\|]+)$/\1XX-X-XXXX-X-XX\3\4/g </CODE></PRE> Tue, 02 Aug 2016 19:25:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-audit-id-field-from-Brightmail-logs-in-Splunk/m-p/201232#M39798 somesoni2 2016-08-02T19:25:44Z