Hi @Karthikeya This should be really easy to achieve by adding some simple props/transforms to your Indexers or HFs: == props.conf ==
[yourSourceType]
TRANSFORMS-removeJsonKeys = removeJsonKeys1
...
See more...
Hi @Karthikeya This should be really easy to achieve by adding some simple props/transforms to your Indexers or HFs: == props.conf ==
[yourSourceType]
TRANSFORMS-removeJsonKeys = removeJsonKeys1
== transforms.conf ==
[removeJsonKeys1]
INGEST_EVAL = _raw=json_delete(_raw, "key1", "nestedkey.subkey2") You can also see how this would work in the UI, although obviously this isnt persistent. Here is an example working to see: SPL
| makeresults
| eval _raw = "[{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"ghi789rst\"},\"action\":\"Create\"}]"
| eval events=json_array_to_mv(_raw)
| mvexpand events
| eval _raw=events
| fields _raw
| eval _raw=json_delete(_raw, "integrationName", "alert.id") Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will