Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove a field from data before indexing?

tdiestel
Path Finder
‎12-02-2015 11:23 AM

Hi All;

I have an interesting issue. Currently, I have data free flowing into a port on in Splunk, and one of the fields in this data has become corrupt and is not allowing me to search my data correctly. What I want to do is remove this field from the data before it is indexed. Is there any way I can do this in Splunk itself?

Note: I really want to avoid sending the data else where for this change to be made and then sending it to Splunk, and I would want to not be limited the option of changing the field in the source.

Any suggestions are greatly appreciated as always.

Thanks,
Tyler

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎12-03-2015 12:31 AM

I would advise against deleting the time information after Last_Action. What if you wanted to use it in a search?
You could simply tell splunk where to break events and where to look for the timestamp of the event itself explicitly, like so:

[mobile]
LINE_BREAKER=([\r\n]+)\d{4}-
SHOULD_LINEMERGE=false
TIME_PREFIX=^

This should break your events properly and still retain all data.

Reply

tdiestel
Path Finder
‎12-02-2015 03:53 PM

These are good pointers, and I'm still trying to see if I can make this work. To be more specific of the field that is corrupting my data is this field has a timestamp component to it.

Scenario: A single event is sent to splunk that looks like this

2015-12-02T15:34:45-0800
User: Jim
Event_Name: "Click_Event"
Action_Type: "Lower_Menu_Item"
Last_Action: "click_2015-12-01T12:00:00-0800"
Last_Action_Type: "Upper Right Button"

Splunk then indexes this single event as 2 events:

One like this:

_time: 2015-12-02T15:34:45-0800
2015-12-02T15:34:45-0800
User: Jim
Event_Name: "Click_Event"
Action_Type: "Lower_Menu_Item"

The other like this:

_time: 2015-12-01T12:00:00-0800"
Last_Action: "click_2015-12-01T12:00:00-0800"
Last_Action_Type: "Upper Right Button"

End Goal: Stop splunk from splitting up my events.
Would settle for removing the "Last_Action" field if I can do it before splunk splits the event.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2015 09:45 AM

Then you asked the wrong question. See what @jeffland said.

0 Karma
Reply

tdiestel
Path Finder
‎12-02-2015 05:28 PM

Tried this in our props.conf file just to remove the field entirely but still no success. Is there something I'm doing wrong?

[mobile]
SEDCMD-nonrequiredtimestamps = s/[Last_Action =].*/Last_Action =/g

0 Karma
Reply

woodcock
Esteemed Legend
‎12-02-2015 01:18 PM

Like this:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles

0 Karma
Reply

techboyt28
Engager
‎12-02-2015 11:41 AM

See if this helps,
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad

Reply

techboyt28
Engager
‎12-02-2015 11:40 AM

I came across this document see if it's of any help.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...