Solved: filtering content on index

hiddenkirby · ‎09-13-2010

At a high level... how would one filter the content itself being indexed.

Example: i was indexing ..say.. xml docs and wanted to exclude the contents in a pair of xml tags.

southeringtonp · ‎09-13-2010

If the content will always follow a known pattern, you can use SEDCMD to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: SEDCMD-abc = s/StringToThrowAway//.

Another possibility (at the event level) would be to create an entry in transforms.conf matching the information you want suppressed, and route it to a null queue. See here for an example.

View solution in original post

southeringtonp · ‎09-13-2010

If the content will always follow a known pattern, you can use SEDCMD to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: SEDCMD-abc = s/StringToThrowAway//.

Another possibility (at the event level) would be to create an entry in transforms.conf matching the information you want suppressed, and route it to a null queue. See here for an example.

filtering content on index

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!