Splunk Search

i want to remove the date occurrence for all the line

Builder

The value '20/SEP/13' can removed
The hello '28/JUN/14' can be removed
The today '23/JUN/14' can be removed

0 Karma
1 Solution

Legend

Hi premranjithj,
if you want to filter events before indexing you have to follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad
to remove a part of an event you can use sedcmd.

If instead you want to mask this dates without filtering events, you can follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata

If instead you already indexed data, it's possible to delete events but it's a logical remove (deleted items remain in Index) you cannot remove a part of an event, you can remove only the full event.

If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.

Bye.
Giuseppe

View solution in original post

Legend

Hi premranjithj,
if you want to filter events before indexing you have to follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad
to remove a part of an event you can use sedcmd.

If instead you want to mask this dates without filtering events, you can follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata

If instead you already indexed data, it's possible to delete events but it's a logical remove (deleted items remain in Index) you cannot remove a part of an event, you can remove only the full event.

If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.

Bye.
Giuseppe

View solution in original post

Champion

not getting you. please give us more clear info. you want to search and remove these lines or you dont want to index these lines at all.. or something else

0 Karma

Builder

i want to remove the date value alone in all the 3 lines

0 Karma

Champion

the data is already indexed or not yet?
while indexing this data you want to remove the date and then index?

0 Karma

Builder

it is already indexed.

0 Karma

Champion

you cannot remove a part of an event, you can remove only the full event.

as suggested by Giuseppe,
If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.