https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331555#M61415 <P>Hello! How can I filter the field only from certain events? There are a lot of events with the same fields, I need to filter these fields when indexing, only in some events.</P> Tue, 24 Oct 2017 07:34:05 GMT bagaeva 2017-10-24T07:34:05Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331555#M61415 <P>Hello! How can I filter the field only from certain events? There are a lot of events with the same fields, I need to filter these fields when indexing, only in some events.</P> Tue, 24 Oct 2017 07:34:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331555#M61415 bagaeva 2017-10-24T07:34:05Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331556#M61416 <P>please provide sample raw data in your post, and how you want the output so we can put the correct search/filter/regex</P> Tue, 24 Oct 2017 11:51:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331556#M61416 koshyk 2017-10-24T11:51:30Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331557#M61417 <P>two events: </P> <P>1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_cr = 56 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624 </P> <P>1508735662.348 d = a event = cup fI = "2017-10-22 17: 26: 37.000" serv = ru_1 sn = u_cl = 1 u_cr = 300 u_geo = RU u_id = 1256228 u_mn = 595 u_pvp = 0 u_sd = 600 u_st = 700 u_wd = 760 u_wl = 1 </P> <P>The field u_cr = 56 must be removed only from the first (event = vil). In the second (event = cup), it should not change. </P> <P>After deleting the first event looks like: </P> <P>1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624</P> Tue, 29 Sep 2020 16:28:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331557#M61417 bagaeva 2020-09-29T16:28:02Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331558#M61418 <P>The answer here is NOT to change the field extractions of the original, raw data. It sounds like you want to treat the value of <CODE>u_cr</CODE> differently for some values of event than those from other values of event. In that case, you could just change the value of <CODE>u_cr</CODE> for those events dynamically at search time to get what you need. For example, if you were summing <CODE>u_cr</CODE> but wanted to exclude the value of <CODE>u_cr</CODE> from that summation for events where the event field equals "vil", you could just set <CODE>u_cr</CODE> to zero for those events right in the search; for example:</P> <PRE><CODE>... | eval u_cr=if(event="vil", 0, u_cr) | stats sum(u_cr) </CODE></PRE> <P>I hope that helps.</P> Wed, 25 Oct 2017 22:20:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-filter-the-field-only-from-certain-events/m-p/331558#M61418 khaynes_splunk 2017-10-25T22:20:54Z