- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to prevent the indexing of message field in th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to prevent the indexing of message field in the windows eventlog sourcetype?
I've searched everywhere but all solutions seem workaround, can someone can suggest the best way to prevent the indexing of message field in the windows eventlog sourcetype?
I want to apply the same method to my firewall syslog messages, in other words, I want to remove the unnecessary field from events before it's indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you Adonio but i want to discard ENTIRE filend and not a part of it, as i wrote i need to apply the same method on other source type, for example a firewall events in syslog ... i need to keep only 4 filed from the original 21 ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sure if you wanted to comment on my answer or answer yourself.
here is the link for the article you are looking for:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Discard_specific_ev...
please read in detail. also, tons of answers here about it. look for nullqueue or discard
hope it helps
p.s. my answer above discards the "entire" message field and not part of it. you can use the same method to all your fields.
p.s. assuming the only fields you want from your firewall are let say: time, source, destination and action, i would probably have the firewall write only these values to the message and save also the load on your syslog server...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
quick search in this portal bring this great answer:
https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...
also i remember there are more, and i am positive i read a splunk blog about it.
in general, what you are looking for called "route and filter data" read here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad
here is an example of how to remove the message from Windows EventCode 4624 (logon)
props.conf:
[WinEventLog:Security]
TRANSFORMS-shorten = shorten4624
transforms.conf
[shorten4624]
REGEX = (?ms)(.*EventCode=4624.*)This event is generated when a logon session
DEST_KEY = _raw
FORMAT = $1
hope it helps
Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts
Video | Tom’s Smartness Journey Continues
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
