Hello,
I have a .json that contains any multivalue fields.
I would like to avoid that any multivalue field be indexed, because It contais a lot of data that I want to avoid index.
Is there any way to do It?
I have try other options like replace all multivalue text by a character, with the follow command ( | rex field="changelog.histories{}.history" mode=sed "s/(^.+)/x/g" )in a search, and I am able to change:
asderdas
asd34sdas
asdaserwerw
by
x
x
x
although I have tried with SEDCMD-xyz = s/"changelog.histories{}.history"=^.+/x/g in "Add data"-"Set sourcetype" window- Advanced and I don't achieve It.
I would like to avoid index "changelog.histories{}.history" or change:
asderdas
asd34sdas
asdaserwerw
by
x
(changing all multivalue values for only a character(x for example)
Is It possible?
Thanks a lot and regards
Daniel
