I've searched everywhere but all solutions seem workaround, can someone can suggest the best way to prevent the indexing of message field in the windows eventlog sourcetype?
I want to apply the same method to my firewall syslog messages, in other words, I want to remove the unnecessary field from events before it's indexed.
quick search in this portal bring this great answer:
also i remember there are more, and i am positive i read a splunk blog about it.
in general, what you are looking for called "route and filter data" read here:
here is an example of how to remove the message from Windows EventCode 4624 (logon)
[WinEventLog:Security] TRANSFORMS-shorten = shorten4624
[shorten4624] REGEX = (?ms)(.*EventCode=4624.*)This event is generated when a logon session DEST_KEY = _raw FORMAT = $1
hope it helps
thank you Adonio but i want to discard ENTIRE filend and not a part of it, as i wrote i need to apply the same method on other source type, for example a firewall events in syslog ... i need to keep only 4 filed from the original 21 ...
not sure if you wanted to comment on my answer or answer yourself.
here is the link for the article you are looking for:
please read in detail. also, tons of answers here about it. look for
hope it helps
p.s. my answer above discards the "entire" message field and not part of it. you can use the same method to all your fields.
p.s. assuming the only fields you want from your firewall are let say: time, source, destination and action, i would probably have the firewall write only these values to the message and save also the load on your syslog server...