All Apps and Add-ons
Highlighted

How do I filter unwanted columns like description fields while configuring inputs for the Splunk Add-on for ServiceNow?

Path Finder

For ex.: My task table sctask contains many fields like createdon,sysid,comments,worknotes,... and i don't want to index comments column, so how do I apply a filter?

Filter parameters provide filters in key-value pairs for indexing only selected data from the table. For example, key1=value1&key2=value2. The default is no filter.

i tried the below format
key1=createdon&key2=sysid&key3=work_notes --> excluded comments column/fields ..
Result:
Nothing indexed 0 events.

0 Karma
Highlighted

Re: How do I filter unwanted columns like description fields while configuring inputs for the Splunk Add-on for ServiceNow?

Super Champion

Hi @AnilPujar,

  1. Filter parameters in add-on is used to Provide filters in key-value pairs for indexing only selected data from the table and not used to remove that key-value pair.
  2. And it is written in format like key1=value1 i.e. for ex. sys_id=abc and not key2=sys_id
  3. So to remove comments key and value try SEDCMD command- Use SEDCMD to remove the parts of the events that you don't want. Have a look at - http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Anonymizedata#Anonymize_data_with_a_sed_scrip...

View solution in original post

Highlighted

Re: How do I filter unwanted columns like description fields while configuring inputs for the Splunk Add-on for ServiceNow?

Path Finder

for example my raw data is something like below, then can you please help me with the sedcmd...

raw=> sysid="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", createdon="2018-07-07 12:12:12", worknotes="sadfjkhdk sadfkhasdkfjd"

sysid="34979jhk3j409823", comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", worknotes="sadfjkhdk sadfkhasdkfjd", created_on="2018-07-07 12:12:12"

comments can have any characters and some times the no. of characters are crossing 30,000 characters... So facing difficult to remove.

0 Karma
Highlighted

Re: How do I filter unwanted columns like description fields while configuring inputs for the Splunk Add-on for ServiceNow?

Super Champion

try in props.conf-

[<yoursourcetypeName>]
SEDCMD-Anon = s/comments=\"([^\"]+)//g
0 Karma
Highlighted

Re: How do I filter unwanted columns like description fields while configuring inputs for the Splunk Add-on for ServiceNow?

Path Finder

comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf",
--> does it removes the complete thing or just "asdfhksdkjf" ?

0 Karma
Highlighted

Re: How do I filter unwanted columns like description fields while configuring inputs for the Splunk Add-on for ServiceNow?

Super Champion

it will remove complete thing i.e. comments="asdfhksdkjf

0 Karma
Highlighted

Re: How do I filter unwanted columns like description fields while configuring inputs for the Splunk Add-on for ServiceNow?

Path Finder

Got the solution,

Under Excluded properties, just need to mention the fieldnames which i dont want to index.

description, comments

the space after comma is important in older versions of service now addon, else it didn't work donno why.

0 Karma