The value '20/SEP/13' can removed
The hello '28/JUN/14' can be removed
The today '23/JUN/14' can be removed
Hi premranjithj,
if you want to filter events before indexing you have to follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad
to remove a part of an event you can use sedcmd.
If instead you want to mask this dates without filtering events, you can follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata
If instead you already indexed data, it's possible to delete events but it's a logical remove (deleted items remain in Index) you cannot remove a part of an event, you can remove only the full event.
If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.
Bye.
Giuseppe
Hi premranjithj,
if you want to filter events before indexing you have to follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad
to remove a part of an event you can use sedcmd.
If instead you want to mask this dates without filtering events, you can follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata
If instead you already indexed data, it's possible to delete events but it's a logical remove (deleted items remain in Index) you cannot remove a part of an event, you can remove only the full event.
If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.
Bye.
Giuseppe
not getting you. please give us more clear info. you want to search and remove these lines or you dont want to index these lines at all.. or something else
i want to remove the date value alone in all the 3 lines
the data is already indexed or not yet?
while indexing this data you want to remove the date and then index?
it is already indexed.
you cannot remove a part of an event, you can remove only the full event.
as suggested by Giuseppe,
If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.