Hi Team,
We are already ingesting wineventlog in splunk. So we are currently working towards the license usage reduction for wineventlog and we have the Splunk_TA_windows - 8.0.0 version installed and all the fields are getting extracted as desired. So now I can see there are two fields getting extracted i.e. One of which is the "Message" and another the field is "body"
So both of them are having the same or identical data so if we filter out both the fields or any of the field then i believe we could save few amount of licenses.
So I have tried as below in my inputs.conf stanza of my wineventlog inputs but still either the Message or body field is not getting filtered out.
[WinEventLog://Security]
disabled = 0
suppress_text = 1
[WinEventLog://System]
disabled = 0
suppress_text = 1
[WinEventLog://Application]
disabled = 0
suppress_text = 1
If it is possible i want to filter out both the fields "body" and "Message" or atleast the body field alone so that we would be able to save some licensing.
So kindly help out with the inputs for the same.
I have replied a solution similar to your case, you can check the same here - Solved: Windows - Filtering Forwarded Events based on LogN... - Splunk Community
Let me know how you go.
--
An upvote would be appreciated if it helps!
Thank you for your response. But its not filtering out for particular event id but instead I want to completely remove the field before getting ingested into Splunk.
Currently I can see two fields in our Splunk console one is "body" and another one is "Message". So when i checked the information both seems to be the same.
Example of an event:
body -- >An account was logged off. Subject: Security ID: x-xx-xx-xx-xxxxxxxxx-xxxxx-xxxxxxx-xxxxx Account Name: ABCDEFGH$ Account Domain: XX Logon ID: 1w23456ewera Logon Type: 3
Message -->An account was logged off. Subject: Security ID: x-xx-xx-xx-xxxxxxxxx-xxxxx-xxxxxxx-xxxxx Account Name: ABCDEFGH$ Account Domain: XX Logon ID: 1w23456ewera Logon Type: 3
So similarly there would be another type of "body" field and the same would be in "Message" field .
So if i remove the "body" field then we can remove the duplicate data which in turn helps to save license.
So kindly help to provide with the stanza so that i can test it out in inputs.conf
If the both fields belongs to same event they can not be dropped to save license. There is no reference in splunk docs, alternatively you can raise a support case.
----
An upvote would be appreciated if it helps!
@anandhalagaras1 Alternative solution is to break the event into two different events 1 body, 1 message. If you are fully confident both having same information then you can send either body/message into nullQueue based on key-word.
---
An upvote would be appreciated if it helps!
Actually i want to send the "body" field to nullQueue. So How can I send to nullQueue do we need to write props and transforms for the same. Or should I make them stop by updating in inputs.conf kindly help me with the stanza if possible.
@anandhalagaras1 if you still wish to proceed refer this link - Solved: Filtering events using NullQueue - Splunk Community
# props.cong setting
[your_sourcetype]
TRANSFORMS-delete = sendtonullqueue
# transforms.conf settings
[sendtonullqueue]
REGEX = <this_should_match_your_body_uniquely>
DEST_KEY=queue
FORMAT=nullQueue
#Both these settings shall be deployed to indexer/HF
----
An upvote would be appreciated if it helps!
If your body, message are belongs to same event which means technically that's _raw field. When you send to nullQueue entire event will be lost. Yes props and transforms conf are the way forward.