All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ServiceNow app: how to Selectively remove Display value from indexing?

koshyk
Super Champion
‎04-05-2019 07:27 AM

hi
After recently upgrading to new version of ServiceNow app, we have found that the display value (dv_*) field have automatically been enabled. This makes each event/payload quite huge and makes them cumbersome to investigate. Some of the display_value fields are quite useful.

We could see the workaround provided per the docs to disable dv_* fields entirely: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Upgrade

So the question is
Can we selectively NOT index certain fields? (For example, we don't need fields like dv_approval_history from change_request table)

How to select the fields which are not required for indexing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 07:18 AM

Found the answer. This can be done at inputs.conf 

[snow://change_request]
exclude = description,dv_close_notes,dv_comments_and_work_notes, ......

and so on. unfortunately it have to be done manually as per my testing

Reply
Solved! Jump to solution

cybersecnutant
Explorer
‎02-12-2024 10:44 AM

Used this to drop the comments related fields. Longstanding tickets had more than 10,000 characters and would cause false negatives and/or crash browsers.

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎04-08-2019 10:02 AM

Yes you can be selective about it. You are looking to filter events out before they are indexed. You'll need to modify props.conf and transforms.conf files with some parsing to remove/replace data. Here's some links to get you started.
https://answers.splunk.com/answers/578334/how-can-i-filter-events-before-they-are-indexed-so.html
https://answers.splunk.com/topics/event-filtering.html
https://docs.splunk.com/Documentation/Splunk/7.2.5/Forwarding/Routeandfilterdatad
A gotcha to be aware of is SEDCMD in props.conf comes before Transforms. (hattip: @davidpaper )

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...