Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to exclude certain fields in json logs from being displayed on UI OR being indexed?

saranya_fmr
Communicator
‎10-25-2016 03:43 AM

Hi All,

Is there a way to exclude certain fields from my JSON data? For example: I have the below JSON Format event with fields A , B and C.

{

A : XXXX..
B : YYYY...
C : ZZZZ....

}

Is there a way to remove the fields B and C along with its values from the search result?

Reply

sundareshr
Legend
‎10-25-2016 06:36 AM

You can use SEDCMD to replace with empty strings. See if this link helps

http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Anonymizedata

props.conf

[sourcetype stanza]
SEDCMD-removefieldB = s/B:\w+//g
SEDCMD-removefieldC = s/C:\w+//g
Reply

saranya_fmr
Communicator
‎10-26-2016 02:47 AM

Thankyou @sundareshr

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎10-26-2016 08:54 AM

@saranya_fmr, if you accept this answer, please mark the "accept" link and @sarnagar will get delicious karma points and the rest of us will know this works as an answer.

0 Karma
Reply

sarnagar
Contributor
‎10-26-2016 02:27 AM

Thankyou..

Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...