topic Re: filtering content on index in Getting Data In https://community.splunk.com/t5/Getting-Data-In/filtering-content-on-index/m-p/49106#M9331 <P>If the content will always follow a known pattern, you can use <A href="http://www.splunk.com/base/Documentation/4.1.5/Admin/Anonymizedatawithsed" rel="nofollow">SEDCMD</A> to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: <CODE>SEDCMD-abc = s/StringToThrowAway//</CODE>.</P> <P>Another possibility (at the event level) would be to create an entry in <CODE>transforms.conf</CODE> matching the information you want suppressed, and route it to a null queue. See <A href="http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Discard_specific_events_and_keep_the_rest" rel="nofollow">here</A> for an example.</P> Tue, 14 Sep 2010 00:38:27 GMT southeringtonp 2010-09-14T00:38:27Z filtering content on index https://community.splunk.com/t5/Getting-Data-In/filtering-content-on-index/m-p/49105#M9330 <P>At a high level... how would one filter the <STRONG>content</STRONG> itself being indexed.</P> <P>Example: i was indexing ..say.. xml docs and wanted to <STRONG>exclude</STRONG> the contents in a pair of xml tags.</P> Mon, 13 Sep 2010 23:30:06 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-content-on-index/m-p/49105#M9330 hiddenkirby 2010-09-13T23:30:06Z Re: filtering content on index https://community.splunk.com/t5/Getting-Data-In/filtering-content-on-index/m-p/49106#M9331 <P>If the content will always follow a known pattern, you can use <A href="http://www.splunk.com/base/Documentation/4.1.5/Admin/Anonymizedatawithsed" rel="nofollow">SEDCMD</A> to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: <CODE>SEDCMD-abc = s/StringToThrowAway//</CODE>.</P> <P>Another possibility (at the event level) would be to create an entry in <CODE>transforms.conf</CODE> matching the information you want suppressed, and route it to a null queue. See <A href="http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Discard_specific_events_and_keep_the_rest" rel="nofollow">here</A> for an example.</P> Tue, 14 Sep 2010 00:38:27 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-content-on-index/m-p/49106#M9331 southeringtonp 2010-09-14T00:38:27Z