Splunk Search

How to remove the field from search time field extraction.

Explorer

Hi Folks,

we have on-boarded the aws log and able to see the logs. The field are extracting with key=value pair , in that sourceIPAddress field extracting with key=value pairs and it have ip address and dns name value. now we would like to remove or hide the sourceIPaddress field from interesting and selected fields.

is there any option to hide or remove that field(sourceIPAddress ) in splunk.

Thanks,
Sridhar

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

@lksridhar if the purpose of hiding of sourceIPAddress is from security/compliance perspective, it would be better if you masked/anonymized the field using REGEX or SEDCMD options through props.conf and transform.conf. Please check out the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Explorer

Thanks for your input. masked or anonymized it won't help here.

let me explain my requirement.

as i said we have field called sourceIPAddress with value of IP address and DNS name. we don't want to display the dns name in sourceIPAddress field so i have created the DNS name field and it is displaying the dns value but still the DNS name showing in sourceIPAddress field.

is there any option i can use to remove the DNS value from SourceIPAdress field.

0 Karma

SplunkTrust
SplunkTrust

@lksridhar through SEDCMD you can find and replace DNS names with empty value i.e. "" and they will not show up.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Splunk Employee
Splunk Employee

One thing here, AWS logs are all ingested and XML and use autoKV extraction. While you could disable autoKV extraxction, in most use cases you wouldnt want to. This would mean you have to extract your fields manually.

Now if you mean the GUI "Interesting Fields", typically when fields are in more then 50%, they show up in the interesting fields. Splunk automatically this, and with json, auto KV is what you really want. You can always append |fields - sourceIPAddress to your search, and this will remove it from the results. Otherwise, just ignore it.

Explorer

Thanks for the information, we can use fields option but i have to use that option every time when ever i'm searching the data.

is there any option i can use to configure in splunk configuration files.

0 Karma