Hi All;
I have an interesting issue. Currently, I have data free flowing into a port on in Splunk, and one of the fields in this data has become corrupt and is not allowing me to search my data correctly. What I want to do is remove this field from the data before it is indexed. Is there any way I can do this in Splunk itself?
Note: I really want to avoid sending the data else where for this change to be made and then sending it to Splunk, and I would want to not be limited the option of changing the field in the source.
Any suggestions are greatly appreciated as always.
Thanks,
Tyler
↧