Hey, dhimanv! I've managed to achieve it. Splunk OnDemand request assisted with this issue. So there are a couple of options, but in my case, these filters worked to cut some fields in the JSON body to decrease the amount of GB we ingest: logsCollection: containers: enabled: true useSplunkIncludeAnnotation: true extraOperators: - type: router default: noop-router routes: - expr: body contains "timestamp" and attributes.log matches "^{.*}$" output: remove-nginx-keys - expr: body contains "timestamp" and attributes.log matches "^{.*}\\n$" output: remove-nginx-keys - type: json_parser id: remove-nginx-keys parse_from: attributes.log parse_to: attributes.log - type: remove field: 'attributes.log.cf_ray' on_error: send - type: remove field: 'attributes.log.proxyUpstreamName' on_error: send - type: remove field: 'attributes.log.proxyAlternativeUpstreamName' on_error: send - type: remove field: 'attributes.log.upstreamAddr' on_error: send - type: remove field: 'attributes.log.upstreamStatus' on_error: send - type: remove field: 'attributes.log.requestID' on_error: send - id: noop-router type: noop So the JSON goes from: {"timestamp": "2023-12-20T10:05:17+00:00", "requestID": "ID", "proxyUpstreamName": "service-name", "proxyAlternativeUpstreamName": "","upstreamStatus": "200", "upstrea mAddr": "IP:4444", "Host": "DNS", "httpRequest":{"requestMethod": "POST", "requestUrl": "/request", "status": 200, "requestSize": "85", "responseSize": "14", "userAgent": "Google", "remoteIp": "IP", "referer": "", "latency": "0.003 s", "protocol": "HTTP/2.0"}, "cf_ray": "1239kvksad2139kc923"} To: { [-] Host: web.web.eu httpRequest: { [-] latency: 0.092 s protocol: HTTP/1.1 referer: referer remoteIp: IP requestMethod: GET requestSize: 834 requestUrl: /request responseSize: 133 status: 200 userAgent: agent } timestamp: 2023-12-20T10:05:08+00:00 } Hope this helps!
... View more
