×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
vincentwhn
Engager
Member since: ‎09-14-2025
‎09-16-2025
Community Statistics
Posts 8
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-14-2025
Activity Feed
View All

Re: How to use STOP_PROCESSING_IF in transforms.co...

by in Getting Data In
‎09-16-2025 07:59 PM
‎09-16-2025 07:59 PM
This is my sample log: {"AppAccessContext": {"AADSessionID": "f3a2b6d4-1234-4c89-9a67-8b2e5d7c9f01", "ClientAppId": "00000003-0000-0ff1-ce00-000000000000", "ClientAppName": "SharePoint Online", "CorrelationId": "e5d6a7b8-2345-4f90-8c12-9d8e7f6a5b4c", "TokenIssuedAtTime": "2025-09-16T05:12:33Z", "UniqueTokenId": "abc123xyz789", "UserObjectid": "d2f3a4b5-6789-4cde-9012-3456789abcde"}, "CreationTime": "2025-09-16T05:12:35Z", "Id": "9876543210", "Operation": "FileAccessed", "OrganizationId": "contoso.onmicrosoft.com", "RecordType": 6, "UserKey": "i:0#.f|membership|vincent.wong@contoso.com", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "203.0.113.45", "UserId": "vincent.wong@contoso.com", "ApplicationiD": "spfx-app-12345", "AuthenticationType": "Federated", "BrowserName": "Edge", "BrowserVersion": "116.0.1938.81", "EventSource": "SharePoint", "GeoLocation": "HK", "IsManagedDevice": true, "ItemType": "File", "ListItemUniqueId": "b3c4d5e6-f789-4abc-9012-3456789def01", "Pleatform": "Windows", "Site": "https://contoso.sharepoint.com/sites/ProjectX", "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "WebId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "DeviceDisplayName": "Vincent-Laptop", "HighPriorityMediaProcessing": false, "ListBassType": 101, "ListServerTemplate": 101, "DestinationFileExtension": ".docx", "SourceFileExtension": ".docx", "SourceRelativeUrl": "/sites/ProjectX/Shared Documents/Report.docx", "SourceFileName": "Report.docx", "DestinationRelativeUrl": "/sites/ProjectX/Shared Documents/Report.docx", "DestinationFileName": "Report.docx", "ApplicationDisplayName": "Microsoft Office Word", "SiteUrl": "https://contoso.sharepoint.com/sites/ProjectX-prd-test", "ObjectId": "https://contoso.sharepoint.com/sites/ProjectX/Shared Documents/Report.docx"} I use the config below to control if the log masking is enabled or not: props.conf [testlog] RULESET-SharePoint_log_filter = SharePoint_log_filter_control, SharePoint_log_filter_rule1, SharePoint_log_filter_rule2, SharePoint_log_filter_rule3, SharePoint_log_filter_rule4 transforms.conf [SharePoint_log_filter_control] INGEST_EVAL = SharePoint_log_filter_control=if(match(_raw, "\"Workload\": \"SharePoint\".*\"SiteUrl\": \".*-prd.*\""), "match", "not_match") STOP_PROCESSING_IF = SharePoint_log_filter_control=="not_match" [SharePoint_log_filter_rule1] INGEST_EVAL=_raw:=replace(_raw, "(\"(?!(?:Operation|SiteUrl|UserId|Workload))[^\"]+\"\\s*:\\s*(?:\\{[^{}]*\\}|\\[[^\\[\\]]*\\]|\"(?:[^\"\\\\]|\\\\.)*\"|[^,}\\r\\n]+))", "") [SharePoint_log_filter_rule2] INGEST_EVAL=_raw:=replace(_raw, "(,\\s+)+", ", ") [SharePoint_log_filter_rule3] INGEST_EVAL=_raw:=replace(_raw, ", }", "}") [SharePoint_log_filter_rule4] INGEST_EVAL=_raw:=replace(_raw, "{, ", "{") ... View more

Re: Are there any ways to whitelist specific field...

by in Getting Data In
‎09-15-2025 12:47 AM
‎09-15-2025 12:47 AM
Thanks a lot. Will take a look at it. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-16-2025 07:58 PM
Karma given to
View All