topic Re: How to Filter part of data in an event during index time in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274368#M52625 <P>What type of forwarder you've, Universal forwarder OR full Enterprise Instance acting as forwarder? Also, Since you posted dummy data in question, the regex is suggested accordingly. Do remember to validate the regex first (if regex is wrong, the SEDCMD will not work anyways).</P> Tue, 31 May 2016 15:16:03 GMT somesoni2 2016-05-31T15:16:03Z How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274363#M52620 <P>Hi, I have a type of following event data which is coming from forwarder:</P> <PRE><CODE>Column1=XYZ+Column2=ABC+ColumnC=GGG.... </CODE></PRE> <P>I want to remove <CODE>Column2=ABC</CODE> value from the event before indexing. Can help how to filter this data. The event should be indexed like this:</P> <PRE><CODE>Column1=XYZ+ColumnC=GGG.... </CODE></PRE> Fri, 27 May 2016 11:02:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274363#M52620 reach2tushar 2016-05-27T11:02:51Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274364#M52621 <P>Try this:<BR /> props.conf</P> <PRE><CODE>[yoursource_type] SEDCMD-removecolumn=s/Column2=[^\+]*\+//g </CODE></PRE> Fri, 27 May 2016 11:50:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274364#M52621 diogofgm 2016-05-27T11:50:51Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274365#M52622 <P>Hi, thanks for the reply.<BR /> I have windows server environment. I tried this but it didn't work.<BR /> will SEDCMD only work on Linux server?</P> Tue, 31 May 2016 10:55:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274365#M52622 reach2tushar 2016-05-31T10:55:11Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274366#M52623 <P>This should work regardless of OS. Did you put the config in your heavy forwarder/indexers and restarted it? Also, it would be good if you can test the regex against your actual data from <A href="http://www.regex101.com">www.regex101.com</A> or similar sites before actually using it.</P> Tue, 31 May 2016 13:48:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274366#M52623 somesoni2 2016-05-31T13:48:13Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274367#M52624 <P>I added these configs on my indexer and restarted. should I move the configs to forwarder?</P> Tue, 31 May 2016 14:40:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274367#M52624 reach2tushar 2016-05-31T14:40:31Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274368#M52625 <P>What type of forwarder you've, Universal forwarder OR full Enterprise Instance acting as forwarder? Also, Since you posted dummy data in question, the regex is suggested accordingly. Do remember to validate the regex first (if regex is wrong, the SEDCMD will not work anyways).</P> Tue, 31 May 2016 15:16:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274368#M52625 somesoni2 2016-05-31T15:16:03Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274369#M52626 <P>I am using full enterprise instance as a forwarder. Also I verified regex with <A href="http://www.regexr.com/">http://www.regexr.com/</A>. It looks good. The SEDCMD is in props.conf file on indexer.</P> Wed, 01 Jun 2016 10:46:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274369#M52626 reach2tushar 2016-06-01T10:46:06Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274370#M52627 <P>Since you are using a heavy forwarder, put the props the forwarder</P> Fri, 03 Jun 2016 02:23:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274370#M52627 diogofgm 2016-06-03T02:23:07Z Re: How to Filter part of data in an event during index time https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274371#M52628 <P>It worked after moving on heavy forwarder. <BR /> Thanks heaps for your help.</P> Fri, 03 Jun 2016 12:05:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Filter-part-of-data-in-an-event-during-index-time/m-p/274371#M52628 reach2tushar 2016-06-03T12:05:31Z