Solved: filtering content on index

hiddenkirby · ‎09-13-2010

At a high level... how would one filter the content itself being indexed.

Example: i was indexing ..say.. xml docs and wanted to exclude the contents in a pair of xml tags.

southeringtonp · ‎09-13-2010

If the content will always follow a known pattern, you can use SEDCMD to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: SEDCMD-abc = s/StringToThrowAway//.

Another possibility (at the event level) would be to create an entry in transforms.conf matching the information you want suppressed, and route it to a null queue. See here for an example.

View solution in original post

southeringtonp · ‎09-13-2010

If the content will always follow a known pattern, you can use SEDCMD to filter out the text you don't want. Set the second part of the expression to be empty, e.g.: SEDCMD-abc = s/StringToThrowAway//.

Another possibility (at the event level) would be to create an entry in transforms.conf matching the information you want suppressed, and route it to a null queue. See here for an example.

filtering content on index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation