Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove the field from search time field extraction.

lksridhar
Explorer
‎05-25-2018 10:59 PM

Hi Folks,

we have on-boarded the aws log and able to see the logs. The field are extracting with key=value pair , in that sourceIPAddress field extracting with key=value pairs and it have ip address and dns name value. now we would like to remove or hide the sourceIPaddress field from interesting and selected fields.

is there any option to hide or remove that field(sourceIPAddress ) in splunk.

Thanks,
Sridhar

Tags (1)
0 Karma
Reply

niketn
Legend
‎05-26-2018 07:22 AM

@lksridhar if the purpose of hiding of sourceIPAddress is from security/compliance perspective, it would be better if you masked/anonymized the field using REGEX or SEDCMD options through props.conf and transform.conf. Please check out the following documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

lksridhar
Explorer
‎05-26-2018 10:50 PM

Thanks for your input. masked or anonymized it won't help here.

let me explain my requirement.

as i said we have field called sourceIPAddress with value of IP address and DNS name. we don't want to display the dns name in sourceIPAddress field so i have created the DNS name field and it is displaying the dns value but still the DNS name showing in sourceIPAddress field.

is there any option i can use to remove the DNS value from SourceIPAdress field.

0 Karma
Reply

niketn
Legend
‎05-27-2018 12:49 AM

@lksridhar through SEDCMD you can find and replace DNS names with empty value i.e. "" and they will not show up.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-26-2018 12:58 AM

One thing here, AWS logs are all ingested and XML and use autoKV extraction. While you could disable autoKV extraxction, in most use cases you wouldnt want to. This would mean you have to extract your fields manually.

Now if you mean the GUI "Interesting Fields", typically when fields are in more then 50%, they show up in the interesting fields. Splunk automatically this, and with json, auto KV is what you really want. You can always append |fields - sourceIPAddress to your search, and this will remove it from the results. Otherwise, just ignore it.

Reply

lksridhar
Explorer
‎05-26-2018 07:11 AM

Thanks for the information, we can use fields option but i have to use that option every time when ever i'm searching the data.

is there any option i can use to configure in splunk configuration files.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...