Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

remove a field from the index

gitingua
Communicator
‎11-09-2021 08:10 AM

I have an event that comes to the index. 

| search index = indexname 

filed1 

field2

field3 

 

I need to write an exception that will discard the field before getting into the index

output:

| search index = indexname 

filed1 

field3 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 10:06 AM

Configure a null queue and direct events that you don't want to it https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 08:14 AM

If you can identify the events you don't want, you can send them to a null queue.

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 09:47 AM

@ITWhisperer or so that the field values are immediately empty as soon as they get into the index

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 09:30 AM

@ITWhisperer It is important for me that they do not come to the index. so that he throws them back.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2021 10:06 AM

Configure a null queue and direct events that you don't want to it https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad 

Reply
Solved! Jump to solution

gitingua
Communicator
‎11-09-2021 03:43 PM

@ITWhisperer 

  1. In props.conf, set the TRANSFORMS-null attribute:
    [ActiveDirectory]
TRANSFORMS-null= setnull
  2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
    [setnull]
REGEX = \[ms-Mcs-AdmPwdExpirationTime\]
DEST_KEY = queue
FORMAT = nullQueue
  3. Restart Splunk Enterprise.

    field - ms-Mcs-AdmPwdExpirationTime

    Not working.  what did I indicate wrong?
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...