All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ServiceNow app: how to Selectively remove Display value from indexing?

koshyk
Super Champion
‎04-05-2019 07:27 AM

hi
After recently upgrading to new version of ServiceNow app, we have found that the display value (dv_*) field have automatically been enabled. This makes each event/payload quite huge and makes them cumbersome to investigate. Some of the display_value fields are quite useful.

We could see the workaround provided per the docs to disable dv_* fields entirely: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Upgrade

So the question is
Can we selectively NOT index certain fields? (For example, we don't need fields like dv_approval_history from change_request table)

How to select the fields which are not required for indexing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

Reply
Solved! Jump to solution

cybersecnutant
Explorer
‎02-12-2024 10:44 AM

Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎04-08-2019 10:02 AM

Yes you can be selective about it. You are looking to filter events out before they are indexed. You'll need to modify props.conf and transforms.conf files with some parsing to remove/replace data. Here's some links to get you started.
https://answers.splunk.com/answers/578334/how-can-i-filter-events-before-they-are-indexed-so.html
https://answers.splunk.com/topics/event-filtering.html
https://docs.splunk.com/Documentation/Splunk/7.2.5/Forwarding/Routeandfilterdatad
A gotcha to be aware of is SEDCMD in props.conf comes before Transforms. (hattip: @davidpaper )

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...