Solved: Re: Removal of unnecessary fields BEFORE INDEX

davidepala · ‎04-04-2018

Hi all!
There is a way to prevent the indexing of unnecessary fields? i'm indexing a syslog file from a firewall so i can do this at syslog server side but if it's possible I'd rather do it in splunk.

niketn · ‎04-04-2018

@davidepala you can have a scripted input to push only required data/fields to Splunk.
You can also use REGEX or SEDCMD to find regular expression based pattern and replace with space.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

If you have to omin entire event from being indexed you can use nullqueue

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data_...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎04-04-2018

@davidepala you can have a scripted input to push only required data/fields to Splunk.
You can also use REGEX or SEDCMD to find regular expression based pattern and replace with space.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

If you have to omin entire event from being indexed you can use nullqueue

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data_...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

davidepala · ‎04-04-2018

TOP, you've save my day! tnx man!!!

niketn · ‎04-04-2018

@davidepala, anytime. Please accept the answer if it helped. Do let us know if you need further help 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Removal of unnecessary fields BEFORE INDEX

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms