topic Re: How can i retreive only some fields ? in Splunk Search

How can i retreive only some fields ?

tony_alibelli — Mon, 28 Sep 2020 14:23:03 GMT

Hi
i'm using this app and i have some trouble to reduce the indexed volume

i will reduce the flow selecting only some fields :
i modified the file fw1-loggrabber.conf :
FIELDS="time;action;src;s_port;dst;service"
but it's not working : flow not contain selected fields
"loc=109418|time=18Jul2013 10:30:54|action=accept|orig=10.127.**|i/f_dir=inbound|i/f_name=bond1.206"

when i reset config file i receive all fields

"loc=5384|time=18Jul2013  5:59:59|action=accept|orig=10.127.**|i/f_dir=inbound|i/f_name=Exp1-2|has_accounting=0|uuid=<51e7683f,00000004,11017f0a,0005ffff>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={66154744-EF02-11E2-936D-000000005656};mgmt;date=1374080435;policy_name=INTE]|rule=12|rule_uid={131EB010--AA76-1DE2C9866C7B}|service_id=TCP-9505|src=10.156.4.10|s_port=2110|dst=10.176.253.182|service=9505|proto=tcp"

i read someone use old binary version 2.0.1 to solve this issue
where can i download the older version 2.0.1 ?

someone have got any other solution ?

Thanks

Re: How can i retreive only some fields ?

lguinn2 — Thu, 18 Jul 2013 19:53:35 GMT

Wow - what version of Splunk are you using? The current version is so much faster than the earlier versions that you would be astounded, especially for searching. The management of fields and knowledge objects is much more sophisticated. It is easy to turn field extraction on/off. I know there is no simple migration from 2.x or 3.x to the current 5.0.3 release, but I still believe the effort would be well worth it.

Re: How can i retreive only some fields ?

tony_alibelli — Tue, 20 Aug 2013 13:55:54 GMT

i'm using 5.0.2 splunk version

i only need to know how to get only wanted field in splunk with this application

thanks

Re: How can i retreive only some fields ?

sdaniels — Tue, 20 Aug 2013 17:41:05 GMT

This the Checkpoint app correct? The FIELDS setting does not work in the current implementation to have the Splunk forwarder limit what fw1-loggrabber pulls from Checkpoint. There is an enhancement request opened for this. Your best work around at this time is to use the SED command and strip out the fields that you don't want to index/display within Splunk.

http://answers.splunk.com/answers/44865/remove-out-section-of-log

Re: How can i retreive only some fields ?

tony_alibelli — Thu, 22 Aug 2013 13:19:24 GMT

this solution is running, i tested it

but it'too hard to use cause i need to define all fields i don't want

could you contact me when the enhancement request will be resolve

best regards

Re: How can i retreive only some fields ?

sdaniels — Thu, 22 Aug 2013 13:42:16 GMT

yes, it's not ideal but this is something you only need to configure once and it's the only work around currently. Please check back once you see updates to the Checkpoint app to see if it gets added to the next version. You'll see it mentioned in release notes or the readme.

Re: How can i retreive only some fields ?

tony_alibelli — Thu, 22 Aug 2013 14:41:42 GMT

thanks for your answer
i have a last question on this app, when we start the collect script we retreive all the historical data. is it possible to retreive only the live log ? how can we do it ?

thanks