Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to drop specific lines from an event not the whole event

Mfmahdi
Path Finder
‎03-04-2024 08:00 AM

we are getting WAF log and the events are very big we need to drop some lines from the events that has no meaningful value not the whole event.

@gcusello 

thank you in advance.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2024 09:23 AM

Hi @Mfmahdi,

you could truncate your events defining the max lenght of each event using the TRUNCATE option in props.conf.

Otherwise you could define a regex to exclude from each event the part that you don't want.

You should use the SEDCMD command in props.conf

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.0/admin/Propsconf

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-05-2024 10:27 PM

@Mfmahdi Example: 

SEDCMD:

[your_sourcetype]
SEDCMD-drop_unwanted_lines = <regex>

Truncate:

[your_sourcetype]
TRUNCATE = 10000

Adjust the value to your desired maximum event length.

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
card or social security numbers. For more information, search the online
documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw
field.
* A sed script is a space-separated list of sed commands. Currently the
following subset of sed commands is supported:
* replace (s) and character substitution (y).
* Syntax:
* replace - s/regex/replacement/flags
* regex is a perl regular expression (optionally containing capturing
groups).
* replacement is a string to replace the regex match. Use \n for back
references, where "n" is a single digit.
* flags can be either: g to replace all matches, or a number to
replace a specified match.
* substitute - y/string1/string2/
* substitutes the string1[i] with string2[i]
* No default.

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-04-2024 09:23 AM

Hi @Mfmahdi,

you could truncate your events defining the max lenght of each event using the TRUNCATE option in props.conf.

Otherwise you could define a regex to exclude from each event the part that you don't want.

You should use the SEDCMD command in props.conf

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.0/admin/Propsconf

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-21-2024 10:04 AM

Hi @Mfmahdi ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...