I would like to exclude certain fields from search results and keep the rest of the information (not discarding the event), so Splunk can send it to an email later on.
For example. Let's say I have the following event:
>> devname = foo , devid = uuid , msg = info
Then, I discard devname = foo
>> devid = uuid , msg = info>> Finally, send configured event to email.
Is there a way to do this?
↧