For ex.: My task table sctask contains many fields like createdon,sysid,comments,worknotes,... and i don't want to index comments column, so how do I apply a filter?
Filter parameters provide filters in key-value pairs for indexing only selected data from the table. For example, key1=value1&key2=value2. The default is no filter.
i tried the below format
key1=createdon&key2=sysid&key3=work_notes --> excluded comments column/fields ..
Nothing indexed 0 events.
Filter parametersin add-on is used to Provide filters in key-value pairs for indexing only selected data from the table and not used to remove that key-value pair.
key1=value1i.e. for ex.
commentskey and value try
SEDCMDto remove the parts of the events that you don't want. Have a look at - http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Anonymizedata#Anonymize_data_with_a_sed_scrip...
for example my raw data is something like below, then can you please help me with the sedcmd...
raw=> sysid="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", createdon="2018-07-07 12:12:12", worknotes="sadfjkhdk sadfkhasdkfjd"
sysid="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", worknotes="sadfjkhdk sadfkhasdkfjd", created_on="2018-07-07 12:12:12"
comments can have any characters and some times the no. of characters are crossing 30,000 characters... So facing difficult to remove.
try in props.conf-
[<yoursourcetypeName>] SEDCMD-Anon = s/comments=\"([^\"]+)//g
comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf",
--> does it removes the complete thing or just "asdfhksdkjf" ?
it will remove complete thing i.e.
Got the solution,
Under Excluded properties, just need to mention the fieldnames which i dont want to index.
the space after comma is important in older versions of service now addon, else it didn't work donno why.