All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk ServiceNow app: how to Selectively remove Display value from indexing?

koshyk
Super Champion
‎04-05-2019 07:27 AM

hi
After recently upgrading to new version of ServiceNow app, we have found that the display value (dv_*) field have automatically been enabled. This makes each event/payload quite huge and makes them cumbersome to investigate. Some of the display_value fields are quite useful.

We could see the workaround provided per the docs to disable dv_* fields entirely: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Upgrade

So the question is
Can we selectively NOT index certain fields? (For example, we don't need fields like dv_approval_history from change_request table)

How to select the fields which are not required for indexing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

Reply
Solved! Jump to solution

cybersecnutant
Explorer
‎02-12-2024 10:44 AM

Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎04-08-2019 10:02 AM

Yes you can be selective about it. You are looking to filter events out before they are indexed. You'll need to modify props.conf and transforms.conf files with some parsing to remove/replace data. Here's some links to get you started.
https://answers.splunk.com/answers/578334/how-can-i-filter-events-before-they-are-indexed-so.html
https://answers.splunk.com/topics/event-filtering.html
https://docs.splunk.com/Documentation/Splunk/7.2.5/Forwarding/Routeandfilterdatad
A gotcha to be aware of is SEDCMD in props.conf comes before Transforms. (hattip: @davidpaper )

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...