Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to stop ingesting a field value

franciscof
Explorer
‎11-17-2020 11:32 AM

Hi guys, I have an input made from the ASplunk addon for AWS and what I want to do is to stop ingesting a field value. This is cloudflare data and what I want to stop ingesting is the field value WAFAction=unknown

Could I do this through the props and transforms? If so, how should I do it?

Thanks in advance.

 

Regards,

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2020 12:19 PM

So you want to not ingest the field WAFAction, but only if the value is "unknown", correct?  I'm curious about the use case for that.  You may be able to do it with INGEST_EVAL.  Here's an untested transform:

[dropunknownwafaction]
INGEST_EVAL = WAFAction:=if(WAFAction="unknown", null(), WAFAction)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

franciscof
Explorer
‎11-17-2020 12:52 PM

Actually is the other way around. I do not want to ingest that specific field value (WAFAction=unknown). How could I do?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2020 06:12 AM

That is why my answer does.  It only ingests the WAFAction field if the value is not "unknown".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...