For ex.: My task table sc_task contains many fields like created_on,sys_id,comments,work_notes,... and i don't want to index comments column, so how do I apply a filter?
Filter parameters provide filters in key-value pairs for indexing only selected data from the table. For example, key1=value1&key2=value2. The default is no filter.
i tried the below format
key1=created_on&key2=sys_id&key3=work_notes --> excluded comments column/fields ..
Result:
Nothing indexed 0 events.
Hi @AnilPujar,
Filter parameters
in add-on is used to Provide filters in key-value pairs for indexing only selected data from the table and not used to remove that key-value pair.key1=value1
i.e. for ex. sys_id=abc
and not key2=sys_id
comments
key and value try SEDCMD
command-
Use SEDCMD
to remove the parts of the events that you don't want. Have a look at -
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Anonymizedata#Anonymize_data_with_a_sed_scrip...Got the solution,
Under Excluded properties, just need to mention the fieldnames which i dont want to index.
description, comments
the space after comma is important in older versions of service now addon, else it didn't work donno why.
Hi @AnilPujar,
Filter parameters
in add-on is used to Provide filters in key-value pairs for indexing only selected data from the table and not used to remove that key-value pair.key1=value1
i.e. for ex. sys_id=abc
and not key2=sys_id
comments
key and value try SEDCMD
command-
Use SEDCMD
to remove the parts of the events that you don't want. Have a look at -
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Anonymizedata#Anonymize_data_with_a_sed_scrip...for example my raw data is something like below, then can you please help me with the sedcmd...
_raw=> sys_id="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", created_on="2018-07-07 12:12:12", work_notes="sadfjkhdk sadfkhasdkfjd"
sys_id="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", work_notes="sadfjkhdk sadfkhasdkfjd", created_on="2018-07-07 12:12:12"
comments can have any characters and some times the no. of characters are crossing 30,000 characters... So facing difficult to remove.
try in props.conf-
[<yoursourcetypeName>]
SEDCMD-Anon = s/comments=\"([^\"]+)//g
comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf",
--> does it removes the complete thing or just "asdfhksdkjf" ?
it will remove complete thing i.e. comments="asdfhksdkjf