Solved: filtering content on index

hiddenkirby · ‎09-13-2010

At a high level... how would one filter the content itself being indexed.

Example: i was indexing ..say.. xml docs and wanted to exclude the contents in a pair of xml tags.

southeringtonp · ‎09-13-2010

If the content will always follow a known pattern, you can use SEDCMD to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: SEDCMD-abc = s/StringToThrowAway//.

Another possibility (at the event level) would be to create an entry in transforms.conf matching the information you want suppressed, and route it to a null queue. See here for an example.

View solution in original post

southeringtonp · ‎09-13-2010

If the content will always follow a known pattern, you can use SEDCMD to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: SEDCMD-abc = s/StringToThrowAway//.

Another possibility (at the event level) would be to create an entry in transforms.conf matching the information you want suppressed, and route it to a null queue. See here for an example.

filtering content on index

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration