- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How do I filter unwanted columns like description ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For ex.: My task table sc_task contains many fields like created_on,sys_id,comments,work_notes,... and i don't want to index comments column, so how do I apply a filter?
Filter parameters provide filters in key-value pairs for indexing only selected data from the table. For example, key1=value1&key2=value2. The default is no filter.
i tried the below format
key1=created_on&key2=sys_id&key3=work_notes --> excluded comments column/fields ..
Result:
Nothing indexed 0 events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AnilPujar,
Filter parametersin add-on is used to Provide filters in key-value pairs for indexing only selected data from the table and not used to remove that key-value pair.- And it is written in format like
key1=value1i.e. for ex.sys_id=abcand notkey2=sys_id - So to remove
commentskey and value trySEDCMDcommand- UseSEDCMDto remove the parts of the events that you don't want. Have a look at - http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Anonymizedata#Anonymize_data_with_a_sed_scrip...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got the solution,
Under Excluded properties, just need to mention the fieldnames which i dont want to index.
description, comments
the space after comma is important in older versions of service now addon, else it didn't work donno why.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AnilPujar,
Filter parametersin add-on is used to Provide filters in key-value pairs for indexing only selected data from the table and not used to remove that key-value pair.- And it is written in format like
key1=value1i.e. for ex.sys_id=abcand notkey2=sys_id - So to remove
commentskey and value trySEDCMDcommand- UseSEDCMDto remove the parts of the events that you don't want. Have a look at - http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Anonymizedata#Anonymize_data_with_a_sed_scrip...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for example my raw data is something like below, then can you please help me with the sedcmd...
_raw=> sys_id="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", created_on="2018-07-07 12:12:12", work_notes="sadfjkhdk sadfkhasdkfjd"
sys_id="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", work_notes="sadfjkhdk sadfkhasdkfjd", created_on="2018-07-07 12:12:12"
comments can have any characters and some times the no. of characters are crossing 30,000 characters... So facing difficult to remove.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try in props.conf-
[<yoursourcetypeName>]
SEDCMD-Anon = s/comments=\"([^\"]+)//g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf",
--> does it removes the complete thing or just "asdfhksdkjf" ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it will remove complete thing i.e. comments="asdfhksdkjf
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
