Hello Splunkers,
I need to ignore some field values that are incorrectly coming in.
I am seeing a field UserID=Tom correctly show up but there are some other entries where UserID=8.8.8.8 Accessed URL....etc etc.
How do I get Splunk to ignore any UserID where UserID=Anything with a number in it?
Thanks!
Maybe this will help?
... | rex field=UserID "[a-zA-Z]?" | ...
Are these invalid values present in the logs/raw data itself? Do you have any field extractions setup for this field?
You may want to read this documentation as well.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad
Hello,
Yes, this is working with a field extraction. I was not able to filter the extraction 100% successfully but it's providing good data, I just need to be able to filter out the numerical values at search time. This is for a single search instance for doing some detective work and is not a long term requirement.