You can unset macros or fields of the message, including any user-defined macros created using parsers (for details, see parser: Parse and segment structured messages and db-parser: Process message content with a pattern database (patterndb)). Note that the unset operation completely deletes any previous value of the field that you apply it on.
Note
Hard macros cannot be modified. For details on the hard and soft macros, see Hard versus soft macros).Use the following syntax:
Declaration:
rewrite <name_of_the_rule> {
unset(value("<field-name>"));
};
Example: Unsetting a message field
The following example unsets the HOST field of the message.
rewrite r_rewrite_unset{
unset(value("HOST"));
};
To unset a group of fields, you can use the groupunset() rewrite rule.
Declaration:
rewrite <name_of_the_rule> {
groupunset(values("<expression-for-field-names>"));
};
Example: Unsetting a group of fields
The following rule clears all SDATA fields:
rewrite r_rewrite_unset_SDATA{
groupunset(values(".SDATA.*"));
};