Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Discard one or more fields of a specific event without losing the rest of the fields of this event?

jfeitosa_real
Path Finder
‎01-04-2019 05:10 AM

Hi All,

Please, how to discard one or more fields of a specific event without losing the rest of the fields of this event?

It's possible?

Thank you very much in advance.

James

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 10:12 AM

Those are two fairly small fields. Unless all events contain them, you're likely not saving much by eliminating them. The example I cited removed hundreds of characters from verbose Windows events.

If you still want to do it, the trick is to create a regular expression that parses your event into groups of wanted and unwanted text. Then the FORMAT setting puts only the wanted groups into the event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 05:56 AM

See https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jfeitosa_real
Path Finder
‎01-04-2019 09:23 AM

@richgalloway . In my case, they are Fortigate firewall logs.
How would it work if I were to discard the fields srcintfrole = "undefined" and dstintfrole = "undefined" for example.

See log example:

Jan 4 15:02:17 10.1.1.1 date=2019-01-04 time=15:04:13 devname="fwA1" devid="FWA11" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1546621453 srcip=10.2.2.1 srcport=54256 srcintf="port1" srcintfrole="undefined" dstip=216.152.102.6 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=410471 poluuid="1348e-602-5e8-7fb-bfbab974" dstcountry="Brazil" srccountry="Reserved" service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" duration=0 policyid=103 policytype="proxy-policy" user="USER1" group="G-Default" wanin=0 rcvdbyte=0 wanout=0 lanin=1418 sentbyte=1418 lanout=2561 appcat="unscanned" utmaction="allow" countweb=1

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 10:12 AM

Those are two fairly small fields. Unless all events contain them, you're likely not saving much by eliminating them. The example I cited removed hundreds of characters from verbose Windows events.

If you still want to do it, the trick is to create a regular expression that parses your event into groups of wanted and unwanted text. Then the FORMAT setting puts only the wanted groups into the event.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jfeitosa_real
Path Finder
‎01-04-2019 05:17 AM

Just by complementing, it would be a way to reduce the size of the log by reducing license consumption before indexing the events.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...