Getting Data In

How can I filter the field only from certain events?

bagaeva
Engager

Hello! How can I filter the field only from certain events? There are a lot of events with the same fields, I need to filter these fields when indexing, only in some events.

0 Karma

khaynes_splunk
Splunk Employee
Splunk Employee

The answer here is NOT to change the field extractions of the original, raw data. It sounds like you want to treat the value of u_cr differently for some values of event than those from other values of event. In that case, you could just change the value of u_cr for those events dynamically at search time to get what you need. For example, if you were summing u_cr but wanted to exclude the value of u_cr from that summation for events where the event field equals "vil", you could just set u_cr to zero for those events right in the search; for example:

... | eval u_cr=if(event="vil", 0, u_cr) | stats sum(u_cr)

I hope that helps.

0 Karma

koshyk
Super Champion

please provide sample raw data in your post, and how you want the output so we can put the correct search/filter/regex

0 Karma

bagaeva
Engager

two events:

1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_cr = 56 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624

1508735662.348 d = a event = cup fI = "2017-10-22 17: 26: 37.000" serv = ru_1 sn = u_cl = 1 u_cr = 300 u_geo = RU u_id = 1256228 u_mn = 595 u_pvp = 0 u_sd = 600 u_st = 700 u_wd = 760 u_wl = 1

The field u_cr = 56 must be removed only from the first (event = vil). In the second (event = cup), it should not change.

After deleting the first event looks like:

1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...