Re: Log exporter filtering

Ulf_Ibrahim_Kar · ‎2020-12-02

Hi!

To save Splunk license I want to filter out some useless fields. I'we read all the log_exporter documentation and relevant posts here.

But I'm having trouble getting it to filter some fields, for examle the verbose filed "app_desc" just won't go away...

In targetConfiguration.xml I have these settings:

<format type="splunk">
<resolver>
<mappingConfiguration>MySplunkFieldsMapping.xml</mappingConfiguration>
<exportAllFields>true</exportAllFields>
</resolver>
<formatHeaderFile>MySplunkFormatDefinition.xml</formatHeaderFile>
</format>

And in MySplunkFieldsMapping.xml

<table>
<tableName>match_table</tableName>
<fields>
<field>
<origName>app_desc</origName>
<exported>false</exported>
</field>
</fields>

But that pesky add_desc fileld just wont go away.

What am I doing wrong?

Dror_Aharony · ‎2020-12-02

try to add the 'primary_application' table.

and also have it without a table, as just a field: 'app_desc'.

Ulf_Ibrahim_Kar · ‎2020-12-03

Hi!

I have tried all combinations of the two tables and the "bare" field. Can't get it to work.

Attahed the relevant files, renamed so that the forum software accepted them,

Please have a look and explain what I'm doing wrong!

Dror_Aharony · ‎2020-12-03

Everything looks right, sorry.
Best open a TAC ticket & Good-luck!

Are you a member of CheckMates?

Log exporter filtering