Skip to main content

Hiya

I have a pipeline set up from a datagen source (business events) - see attached first image


As you can see the event has fields, now I want to remove fields - source and sourcetype - no matter what I try in the "fields to remove" nothing gets removed (see output) below

822_a14b0eff25f24f269af6680763033522.png822_973e5994cd8b4d54888377b0a93dcd55.png

I am trying to get the UI to show in red - the fields that are to be dropped

here is something even weirder - when I do "!(name.startsWith('source'))" for filter by expression - it shows me the new JSON payload but the UI still has source and sourcetype in it.

Two suggestions:

  1. Put an Eval function in that will change the unwanted fields to undefined. ie: sourcetype —> undefined, source —> undefined
  2. Have you tried adding in a !source !sourcetype before the list of fields?

Yeah, that worked for me. I defined a preprocessing pipeline that does this:

822_bd073311b766431a85e72b2dc04c835a.png822_a43e3cf1477540d7bc5fb08f2006a3aa.png822_39e5b477706447f5bb51c641cf16f661.png

and finally in Splunk:

822_c9ba26c9d2c0465f9c4a0b348ec736b8.png

Thank you kindly I will give that a shot

Reply


Terms & ConditionsCookie settings