Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

remove a field from the index

gitingua
Communicator
‎11-09-2021 08:10 AM

I have an event that comes to the index. 

| search index = indexname 

filed1 

field2

field3 

 

I need to write an exception that will discard the field before getting into the index

output:

| search index = indexname 

filed1 

field3 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 10:06 AM

Configure a null queue and direct events that you don't want to it https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 08:14 AM

If you can identify the events you don't want, you can send them to a null queue.

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 09:47 AM

@ITWhisperer or so that the field values are immediately empty as soon as they get into the index

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 09:30 AM

@ITWhisperer It is important for me that they do not come to the index. so that he throws them back.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 10:06 AM

Configure a null queue and direct events that you don't want to it https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad 

Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 03:43 PM

@ITWhisperer 

  1. In props.conf, set the TRANSFORMS-null attribute:
    [ActiveDirectory]
TRANSFORMS-null= setnull
  2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
    [setnull]
REGEX = \[ms-Mcs-AdmPwdExpirationTime\]
DEST_KEY = queue
FORMAT = nullQueue
  3. Restart Splunk Enterprise.

    field - ms-Mcs-AdmPwdExpirationTime

    Not working.  what did I indicate wrong?
0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...