topic Remove or replace multivalue field before to index in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Remove-or-replace-multivalue-field-before-to-index/m-p/536122#M89883 <P>Hello,</P><P>I have a .json that contains any multivalue fields.</P><P>I would like to avoid that any multivalue field be indexed, because It contais a lot of data that I want to avoid index.</P><P>Is there any way to do It?</P><P>I have try other options like replace all multivalue text by a character, with the follow command ( | rex field="changelog.histories{}.history" mode=sed "s/(^.+)/x/g" )in a search, and I am able to change:<BR />asderdas<BR />asd34sdas<BR />asdaserwerw<BR />by&nbsp;<BR />x<BR />x<BR />x</P><P>although I have tried with SEDCMD-xyz = s/"changelog.histories{}.history"=^.+/x/g in "Add data"-"Set sourcetype" window- Advanced and I don't achieve It.<BR />I would like to avoid index "changelog.histories{}.history" or change:<BR />asderdas<BR />asd34sdas<BR />asdaserwerw<BR />by<BR />x<BR />(changing all multivalue values for only a character(x for example)</P><P>Is It possible?</P><P>Thanks a lot and regards</P><P>Daniel</P> Sat, 16 Jan 2021 18:27:10 GMT DanielSp 2021-01-16T18:27:10Z Remove or replace multivalue field before to index https://community.splunk.com/t5/Getting-Data-In/Remove-or-replace-multivalue-field-before-to-index/m-p/536122#M89883 <P>Hello,</P><P>I have a .json that contains any multivalue fields.</P><P>I would like to avoid that any multivalue field be indexed, because It contais a lot of data that I want to avoid index.</P><P>Is there any way to do It?</P><P>I have try other options like replace all multivalue text by a character, with the follow command ( | rex field="changelog.histories{}.history" mode=sed "s/(^.+)/x/g" )in a search, and I am able to change:<BR />asderdas<BR />asd34sdas<BR />asdaserwerw<BR />by&nbsp;<BR />x<BR />x<BR />x</P><P>although I have tried with SEDCMD-xyz = s/"changelog.histories{}.history"=^.+/x/g in "Add data"-"Set sourcetype" window- Advanced and I don't achieve It.<BR />I would like to avoid index "changelog.histories{}.history" or change:<BR />asderdas<BR />asd34sdas<BR />asdaserwerw<BR />by<BR />x<BR />(changing all multivalue values for only a character(x for example)</P><P>Is It possible?</P><P>Thanks a lot and regards</P><P>Daniel</P> Sat, 16 Jan 2021 18:27:10 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-or-replace-multivalue-field-before-to-index/m-p/536122#M89883 DanielSp 2021-01-16T18:27:10Z Re: Remove or replace multivalue field before to index https://community.splunk.com/t5/Getting-Data-In/Remove-or-replace-multivalue-field-before-to-index/m-p/536125#M89884 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226451">@DanielSp</a>,</P><P>Props.conf SEDCMD command works on _raw data. That is why your regex must be able to capture patterns from raw data.&nbsp;</P><P>&nbsp;</P><P>If this reply helps you an upvote is appreciated.</P> Sat, 16 Jan 2021 19:10:36 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-or-replace-multivalue-field-before-to-index/m-p/536125#M89884 scelikok 2021-01-16T19:10:36Z