Jakub
Reputation: 23
Remove property from json event Splunk
I have events JSON events in splunk, but one of the key pair/property I would like to remove.
E.g.:
From below JSON I want to remove "country": "Algeria", from every event which will come. It is possible? I have tried something like this in my props.conf, but no success.
[k8s]
INDEXED_EXTRACTIONS=JSON
TRUNCATE = 200000
SEDCMD-remove=/"country": ".*/g
{
"random": 23,
"random float": 28.173,
"bool": false,
"date": "1990-08-31",
"regEx": "helloooooooooooooooooooooooooooooooooooooooooooooooooo world",
"enum": "generator",
"firstname": "Latisha",
"lastname": "Alexandr",
"city": "Tiraspol",
"country": "Algeria",
"countryCode": "MC",
"email uses current data": "[email protected]",
"email from expression": "[email protected]",
"array": [
"Dyann",
"Christal",
"Renie",
"Tilly",
"Margette"
],
"array of objects": [
{
"index": 0,
"index start at 5": 5
},
{
"index": 1,
"index start at 5": 6
},
{
"index": 2,
"index start at 5": 7
}
],
"Raquela": {
"age": 50
}
}
Upvotes: 2
Views: 755
Answers (1)
RichG
Reputation: 9926
You have the right idea, but the SEDCMD is incorrect. Try this in your props.conf
SEDCMD-noAlgeria = s/"country": "Algeria",//
Upvotes: 1
Related Questions
- Splunk Event JSON to Table
- How to extract fields from an escaped JSON(nested) in splunk?
- How to extract Key Value fields from Json string in Splunk
- Remove Field from event by pattern
- splunk exclude results based on json property
- How to extract fields from JSON string in Splunk
- Splunk HEC: Start sending events in JSON format with pre existing raw events
- How to remove a certain field from Splunk output
- Remove an event field and reference it in Logstash
- How to remove an event from logstash?