Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter specific fields in structured events in Heavy Forwarder?

vhharanpositka
Explorer
‎12-26-2019 09:42 AM

Hi Gaurav

I want to know how to filter only few fields in an event and eliminate the other fields.
Eg:

{ [-]
action: ALLOW
formatVersion: 1
httpRequest: { []
}
httpSourceId: 30gcfrxt8djgvhg4b8f074e
httpSourceName: ALB
nonTerminatingMatchingRules: [ []
]
rateBasedRuleList: [ []
]
ruleGroupList: [ []
]
terminatingRuleId: Default_Action
terminatingRuleType: REGULAR
timestamp: 1571993927624
webaclId: cxxxxxxxxxxxxxxxxxxxxxxxxxxx
}

I want only fields like action, ruleBasedRuleList, terminatingRuleType, and webaclId. How can I filter these fields in Splunk?

0 Karma
Reply
Get Updates on the Splunk Community!