Solved: i want to remove the date occurrence for all the l...

DataOrg · ‎06-19-2017

The value '20/SEP/13' can removed
The hello '28/JUN/14' can be removed
The today '23/JUN/14' can be removed

gcusello · ‎06-19-2017

Hi premranjithj,
if you want to filter events before indexing you have to follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad
to remove a part of an event you can use sedcmd.

If instead you want to mask this dates without filtering events, you can follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata

If instead you already indexed data, it's possible to delete events but it's a logical remove (deleted items remain in Index) you cannot remove a part of an event, you can remove only the full event.

If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.

Bye.
Giuseppe

View solution in original post

gcusello · ‎06-19-2017

Hi premranjithj,
if you want to filter events before indexing you have to follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad
to remove a part of an event you can use sedcmd.

If instead you want to mask this dates without filtering events, you can follow https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata

If instead you already indexed data, it's possible to delete events but it's a logical remove (deleted items remain in Index) you cannot remove a part of an event, you can remove only the full event.

If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.

Bye.
Giuseppe

inventsekar · ‎06-19-2017

not getting you. please give us more clear info. you want to search and remove these lines or you dont want to index these lines at all.. or something else

DataOrg · ‎06-19-2017

i want to remove the date value alone in all the 3 lines

inventsekar · ‎06-19-2017

the data is already indexed or not yet?
while indexing this data you want to remove the date and then index?

DataOrg · ‎06-19-2017

it is already indexed.

inventsekar · ‎06-19-2017

you cannot remove a part of an event, you can remove only the full event.

as suggested by Giuseppe,
If you want to remove indexed data, you also could:
- export all your index running a search (index=your_index) and exporting result in text files (using as format row data);
- clear your index (http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk);
- reindex the exported data using data mask or filters.

i want to remove the date occurrence for all the line

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!