Hi Gaurav
I want to know how to filter only few fields in an event and eliminate the other fields.
Eg:
{ [-]
action: ALLOW
formatVersion: 1
httpRequest: { []
}
httpSourceId: 30gcfrxt8djgvhg4b8f074e
httpSourceName: ALB
nonTerminatingMatchingRules: [ []
]
rateBasedRuleList: [ []
]
ruleGroupList: [ []
]
terminatingRuleId: Default_Action
terminatingRuleType: REGULAR
timestamp: 1571993927624
webaclId: cxxxxxxxxxxxxxxxxxxxxxxxxxxx
}
I want only fields like action, ruleBasedRuleList, terminatingRuleType, and webaclId. How can I filter these fields in Splunk?
↧