Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

remove a field from the index

gitingua
Communicator
‎11-09-2021 08:10 AM

I have an event that comes to the index. 

| search index = indexname 

filed1 

field2

field3 

 

I need to write an exception that will discard the field before getting into the index

output:

| search index = indexname 

filed1 

field3 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 10:06 AM

Configure a null queue and direct events that you don't want to it https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 08:14 AM

If you can identify the events you don't want, you can send them to a null queue.

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 09:47 AM

@ITWhisperer or so that the field values are immediately empty as soon as they get into the index

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 09:30 AM

@ITWhisperer It is important for me that they do not come to the index. so that he throws them back.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 10:06 AM

Configure a null queue and direct events that you don't want to it https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad 

Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 03:43 PM

@ITWhisperer 

  1. In props.conf, set the TRANSFORMS-null attribute:
    [ActiveDirectory]
TRANSFORMS-null= setnull
  2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
    [setnull]
REGEX = \[ms-Mcs-AdmPwdExpirationTime\]
DEST_KEY = queue
FORMAT = nullQueue
  3. Restart Splunk Enterprise.

    field - ms-Mcs-AdmPwdExpirationTime

    Not working.  what did I indicate wrong?
0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...