Getting Data In

How would I filter out fields via Props.conf?

pfabrizi
Path Finder

I am forwarding windows events from graylog to a UF and then UF to Indexer.
I have a props.conf to create field alias from the Graylog fields. Once I have these I want to eliminate the gray log fields from being indexed.

Here is Props.conf.

FIELDALIAS-winlogbeat_as_host = winlogbeat_fields_collector_node_id as host
FIELDALIAS-winlogbeat_as_eventid = winlogbeat_event_id as EventCode
FIELDALIAS-winlogbeat_as_processname = winlogbeat_event_data_ProcessName as Process_Name
FIELDALIAS-winlogbeat_as_logonid = winlogbeat_event_data_TargetLogonId as Logon_ID
FIELDALIAS-winlogbeat_as_user = winlogbeat_event_data_TargetUserName  as user
FIELDALIAS-winlogbeat_as_src_user = user as src_user
FIELDALIAS-winlogbeat_as_action = winlogbeat_keywords  as action
FIELDALIAS-winlogbeat_as_security_id = winlogbeat_event_data_TargetUserSid as Security_ID
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_event_data_TargetDomainName as Account_Domain
FIELDALIAS-winlogbeat_as_logontype = winlogbeat_event_data_LogonType as Logon_Type
FIELDALIAS-winlogbeat_as_srcip = winlogbeat_event_data_IpAddress as src_ip
FIELDALIAS-winlogbeat_as_src = winlogbeat_computer_name   as src
FIELDALIAS-winlogbeat_as_destip = src_ip as dest_ip

How would I eliminate the winlogbeat fields from being indexed?

Thanks!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

As I understand it, the original fields are always retained.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I understand it, the original fields are always retained.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pfabrizi
Path Finder

That is what I thought.

Thank You!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...