All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ServiceNow app: how to Selectively remove Display value from indexing?

koshyk
Super Champion
‎04-05-2019 07:27 AM

hi
After recently upgrading to new version of ServiceNow app, we have found that the display value (dv_*) field have automatically been enabled. This makes each event/payload quite huge and makes them cumbersome to investigate. Some of the display_value fields are quite useful.

We could see the workaround provided per the docs to disable dv_* fields entirely: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Upgrade

So the question is
Can we selectively NOT index certain fields? (For example, we don't need fields like dv_approval_history from change_request table)

How to select the fields which are not required for indexing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

Reply
Solved! Jump to solution

cybersecnutant
Explorer
‎02-12-2024 10:44 AM

Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎04-08-2019 10:02 AM

Yes you can be selective about it. You are looking to filter events out before they are indexed. You'll need to modify props.conf and transforms.conf files with some parsing to remove/replace data. Here's some links to get you started.
https://answers.splunk.com/answers/578334/how-can-i-filter-events-before-they-are-indexed-so.html
https://answers.splunk.com/topics/event-filtering.html
https://docs.splunk.com/Documentation/Splunk/7.2.5/Forwarding/Routeandfilterdatad
A gotcha to be aware of is SEDCMD in props.conf comes before Transforms. (hattip: @davidpaper )

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...