How to edit inputs.conf to exclude a field before ...

vikas_gopal · ‎12-12-2016

I am using Windows Host Monitoring stanza in inputs.conf like

([WinHostMon://Service]
interval = 10
disabled = 0
type = Service)
to collect service information on the windows machine . I got following in splunk .

Type=Service
Name="AeLookupSvc"
DisplayName="Application Experience"
Description="Processes application compatibility cache requests for applications as they are launched"
Path="C:\Windows\system32\svchost.exe -k netsvcs"
ServiceType="Share Process"
StartMode="Manual"
Started=false
State="Stopped"
Status="OK"
ProcessId=0

I do not want to index Description and Path Field. Please suggest how I can achieve this.

Thanks
VG

Yorokobi · ‎04-30-2019

In your indexing tier's props.conf

[WinHostMon]
### This affects ALL WinHostMon source types for the v6+ add-on
SEDCMD-nodesc = s/([\r\n]+)Description=".+"//g
SEDCMD-nopath = s/([\r\n]+)Path=".+"//g

Or to apply to only WinHostMon's Service source

[source::service]
SEDCMD-nodesc = s/([\r\n]+)Description=".+"//g
SEDCMD-nopath = s/([\r\n]+)Path=".+"//g

dkeck · ‎02-28-2017

Please accept answer, if it was helpfull.

Thank you

dkeck · ‎12-12-2016

Hi,

there are historic questions regarding this topic , for example

https://answers.splunk.com/answers/109253/how-to-filter-or-extract-fields-before-indexing-time.html

Kind regards

How to edit inputs.conf to exclude a field before indexing?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation