Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to prevent the indexing of message field in the windows eventlog sourcetype?

davidepala
Path Finder
‎04-13-2018 08:40 AM

I've searched everywhere but all solutions seem workaround, can someone can suggest the best way to prevent the indexing of message field in the windows eventlog sourcetype?
I want to apply the same method to my firewall syslog messages, in other words, I want to remove the unnecessary field from events before it's indexed.

0 Karma
Reply

davidepala
Path Finder
‎04-14-2018 12:18 PM

thank you Adonio but i want to discard ENTIRE filend and not a part of it, as i wrote i need to apply the same method on other source type, for example a firewall events in syslog ... i need to keep only 4 filed from the original 21 ...

0 Karma
Reply

adonio
Ultra Champion
‎04-14-2018 01:57 PM

not sure if you wanted to comment on my answer or answer yourself.
here is the link for the article you are looking for:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Discard_specific_ev...
please read in detail. also, tons of answers here about it. look for nullqueue or discard
hope it helps
p.s. my answer above discards the "entire" message field and not part of it. you can use the same method to all your fields.
p.s. assuming the only fields you want from your firewall are let say: time, source, destination and action, i would probably have the firewall write only these values to the message and save also the load on your syslog server...

0 Karma
Reply

adonio
Ultra Champion
‎04-13-2018 07:06 PM

hello there,
quick search in this portal bring this great answer:
https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...
also i remember there are more, and i am positive i read a splunk blog about it.
in general, what you are looking for called "route and filter data" read here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad
here is an example of how to remove the message from Windows EventCode 4624 (logon)
props.conf:

[WinEventLog:Security]
TRANSFORMS-shorten = shorten4624

transforms.conf

[shorten4624]
REGEX = (?ms)(.*EventCode=4624.*)This event is generated when a logon session
DEST_KEY = _raw
FORMAT = $1

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...