Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How would I filter out fields via Props.conf?

pfabrizi
Path Finder
‎06-28-2018 04:51 AM

I am forwarding windows events from graylog to a UF and then UF to Indexer.
I have a props.conf to create field alias from the Graylog fields. Once I have these I want to eliminate the gray log fields from being indexed.

Here is Props.conf.

FIELDALIAS-winlogbeat_as_host = winlogbeat_fields_collector_node_id as host
FIELDALIAS-winlogbeat_as_eventid = winlogbeat_event_id as EventCode
FIELDALIAS-winlogbeat_as_processname = winlogbeat_event_data_ProcessName as Process_Name
FIELDALIAS-winlogbeat_as_logonid = winlogbeat_event_data_TargetLogonId as Logon_ID
FIELDALIAS-winlogbeat_as_user = winlogbeat_event_data_TargetUserName  as user
FIELDALIAS-winlogbeat_as_src_user = user as src_user
FIELDALIAS-winlogbeat_as_action = winlogbeat_keywords  as action
FIELDALIAS-winlogbeat_as_security_id = winlogbeat_event_data_TargetUserSid as Security_ID
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_TargetDomainName as Account_Domain
FIELDALIAS-winlogbeat_as_logontype = winlogbeat_event_data_LogonType as Logon_Type
FIELDALIAS-winlogbeat_as_srcip = winlogbeat_event_data_IpAddress as src_ip
FIELDALIAS-winlogbeat_as_src = winlogbeat_computer_name   as src
FIELDALIAS-winlogbeat_as_destip = src_ip as dest_ip

How would I eliminate the winlogbeat fields from being indexed?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2018 05:33 AM

As I understand it, the original fields are always retained.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2018 05:33 AM

As I understand it, the original fields are always retained.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pfabrizi
Path Finder
‎06-28-2018 06:13 AM

That is what I thought.

Thank You!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...