Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter out unnecessary data before sending the data to indexer

sahabhi606
Path Finder
‎09-16-2020 02:37 AM

Dear Splunkers, I need your help in filtering out the data which I am recieving before storing it into the indexer. Below is a sample data that I am recieving, and here I am intrested to keep data in below tags and discard others.

Intrested data:

<name>MACHINE_HOSTNAME</name> and <ip_address>11.22.33.44</ip_address>


Sample Data:

<computer><general><id>1234</id><name>MACHINE_HOSTNAME</name><network_adapter_type>XXXXXX</network_adapter_type><mac_address>XX:XX:XX:XX:XX:XX</mac_address><alt_network_adapter_type>Ethernet</alt_network_adapter_type><alt_mac_address>XX:XX:XX:XX:XX:XX</alt_mac_address><ip_address>11.22.33.44</ip_address><last_reported_ip>12.34.56.78</last_reported_ip><serial_number>XXXXXXXXXX</serial_number><udid>XXXX-XXXX-XX-XX</udid><jamf_version>10.X.0-tXXXXXX</jamf_version><platform>Mac</platform><barcode_1 /><barcode_2 /><asset_tag /><remote_management><managed>true</managed>


Regards,
Abhi

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-16-2020 06:09 AM

add below to props.conf on HF or Indexer, don't forget to replace yoursourcetype with the one for which you want to apply below extraction. It doesn't have timestamp after removing everything and keeping only name and ip_address, you should manage that.

[yoursourcetype]
SEDCMD-remove=s/.*(\<name\>.*\<\/name\>).*(\<ip_address\>.*\<\/ip_address\>).*/\1,\2/g

 

————————————
If this helps, give a like below.
Reply

sahabhi606
Path Finder
‎10-06-2020 06:44 AM

Hi @thambisetty , below configuration works only for the events which has these fields. 

 

[yoursourcetype]
SEDCMD-remove=s/.*(\<name\>.*\<\/name\>).*(\<ip_address\>.*\<\/ip_address\>).*/\1,\2/g

How can I discard rest events which do not have above values? or is there a way, where I get to keep only a few set of field values from the data, and discard others?

 

Thanks,

Abhishek

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-16-2020 03:45 AM

is the above sample data  single event ?

————————————
If this helps, give a like below.
0 Karma
Reply

sahabhi606
Path Finder
‎09-16-2020 04:43 AM

Hi @thambisetty ,

 

Thanks for your post. Yes it is a single event. This is just a small snippet of a very long event

 

Regards,

Abhishek

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-16-2020 03:42 AM

Hi @sahabhi606,

you have to use the SEDCMD command in props.conf.

If the sample you shared is only one event, you have to use something like this:

SEDCMD-removeunwanted1 = s/^\<computer\>\<general\>\<id\>\d+<\/id\>//
SEDCMD-removeunwanted2 = s/\<network_adapter_type\>.*\<\/alt_mac_address\>//
SEDCMD-removeunwanted3 = s/\<last_reported_ip\>.*//

 Ciao.

Giuseppe

0 Karma
Reply

sahabhi606
Path Finder
‎09-16-2020 04:42 AM

Hello @gcusello ,

 

 

Thanks for your post. yes it is a single evenyt, but this is just a snapshot of a very long event, and it won't be feasible to use SEDCMD to remove most of the tags. 

I would actually prefer to filter out all data except the relevant ones. I tried  it using below config in transforms.conf, but no luck

 

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = \<name\>.*\<\/name\>
DEST_KEY = queue
FORMAT = indexQueue

 

Regards,

Abhishek

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-16-2020 05:28 AM

Hi @sahabhi606,

if it's acceptable for you to delete all the events it's easier for you!

Ciao and good splunking.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...