How to get Splunk to ignore field values with numb...

lbogle · ‎01-19-2015

Hello Splunkers,
I need to ignore some field values that are incorrectly coming in.
I am seeing a field UserID=Tom correctly show up but there are some other entries where UserID=8.8.8.8 Accessed URL....etc etc.
How do I get Splunk to ignore any UserID where UserID=Anything with a number in it?
Thanks!

richgalloway · ‎01-19-2015

Maybe this will help?

... | rex field=UserID "[a-zA-Z]?" | ...

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎01-19-2015

Are these invalid values present in the logs/raw data itself? Do you have any field extractions setup for this field?

You may want to read this documentation as well.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

lbogle · ‎01-19-2015

Hello,
Yes, this is working with a field extraction. I was not able to filter the extraction 100% successfully but it's providing good data, I just need to be able to filter out the numerical values at search time. This is for a single search instance for doing some detective work and is not a long term requirement.

How to get Splunk to ignore field values with numbers?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...