Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure props and transforms.conf to only index a few fields and ignore the other fields?

allan_newton
Path Finder
‎12-10-2015 06:52 AM

I tried all the possible things in Splunk, but couldn't index only some part of the file.

For example:

2015/11/30 19:00:00 ad32ah req:connection srv:vm1pskndx3 method HTTPS txnid:986218312825 and from here 20 to 30 lines of event.

I need to index only ad32ah, vm1pskndx3, HTTPS and 986218312825. I only need these 4 fields and ignore the other part of the event, and it should be repeated for all the events.

I understand I should do something in props.conf or transforms.conf.

Please advise!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-10-2015 07:05 AM

use your prop.conf as mentioned below(http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Propsconf)

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit card or social
  security numbers. For more information, search the online documentation for "anonymize
  data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the following subset of
  sed commands is supported:
        * replace (s) and character substitution (y).
* Syntax:
        * replace - s/regex/replacement/flags
                * regex is a perl regular expression (optionally containing capturing groups).
                * replacement is a string to replace the regex match. Use \n for back 
                  references, where "n" is a single digit.
                * flags can be either: g to replace all matches, or a number to replace a 
                  specified match.
        * substitute - y/string1/string2/
                * substitutes the string1[i] with string2[i]
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-10-2015 07:05 AM

use your prop.conf as mentioned below(http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Propsconf)

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit card or social
  security numbers. For more information, search the online documentation for "anonymize
  data."
* Used to specify a sed script which Splunk applies to the _raw field.
* A sed script is a space-separated list of sed commands. Currently the following subset of
  sed commands is supported:
        * replace (s) and character substitution (y).
* Syntax:
        * replace - s/regex/replacement/flags
                * regex is a perl regular expression (optionally containing capturing groups).
                * replacement is a string to replace the regex match. Use \n for back 
                  references, where "n" is a single digit.
                * flags can be either: g to replace all matches, or a number to replace a 
                  specified match.
        * substitute - y/string1/string2/
                * substitutes the string1[i] with string2[i]
Happy Splunking!
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-10-2015 07:32 PM

Be aware that this approach has 2 drawbacks:

1: Any index-time fields which are created by INDEXED_EXTRACTIONS (and maybe other ways, too), will still possess the values which proves that:
2: Even though you will be "decluttering" your raw events, you will still be metered against your license for the pre-modified size.

Reply
Solved! Jump to solution

allan_newton
Path Finder
‎12-14-2015 03:26 AM

How do I save my license ? Please help.

0 Karma
Reply
Solved! Jump to solution

allan_newton
Path Finder
‎12-10-2015 08:38 AM

But that is for anonymizing the incoming data.

For example :

1335-1235-1531-1353 is a card number and need to be indexed in a masked format xxxx-xxxx-xxxx-xx53.

please correct me if I'm wrong.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-10-2015 02:35 PM

Basically this is true, this doc talks about anonymizing data using a SED script... and what it does is match a pattern and replace it in the example.
You should do the same, but replace it with nothing... You can try the effect using the Data onboarding wizard (Add Data)

But it would be something like this in props.conf

SEDCMD - nullDataIDontWant = s/req:connection//g
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...