Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract Key=value before indexing , and index only...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract Key=value before indexing , and index only the extracted key/values
I have data input which returns key=value delimited with space, so I don't need to index all of them , so how can I index some of them and avoid the others..
Also I want when I search for something only the important key/values to show
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently filtered unwanted data at index time by using the filter and route method. I think this will allow you to accomplish what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kristian, thanks for your answer , the main goal here is to exclude unneeded data from being stored in splunk, so I needed to store only the important one to me..
so thinking about how to do this , and extract some parts of the incoming messages to Splunk store it and indexing it..
still your answer valid in that case ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kristian, thanks for your answer , the main goal here is to exclude unneeded data from being stored in splunk, so I needed to store only the important one to me..
so thinking about how to do this , and extract some parts of the incoming messages to Splunk store it and indexing it..
still your answer valid in that case ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Permanently removing (parts of) event data prior to indexing can be done by means of index-time transformations or SEDCMD, read more here;
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Anonymizedatausingconfigurationfiles
The definition of 'important' is hard for anyone but you to make. But changing the search mode might be what you're after;
http://docs.splunk.com/Documentation/Splunk/6.0/Search/Changethesearchmode
This will control how fields will be extracted, if at all. You can probably do this in a more manual fashion, by setting KV_MODE=none for your sourcetype, and making explicit EXTRACTs;
http://docs.splunk.com/Documentation/Splunk/6.0/admin/Propsconf
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first link in my answer above, demonstrate a few options for removing unwanted data from within each event prior to indexing.
The link provided by @sc0tt in his answer shows how to discard/keep whole events based on individual event content.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kristian, thanks for your answer , the main goal here is to exclude unneeded data from being stored in splunk, so I needed to store only the important one to me..
so thinking about how to do this , and extract some parts of the incoming messages to Splunk store it and indexing it..
still your answer valid in that case ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
