You can unset macros or fields of the message, including any user-defined macros created using parsers (for details, see parser: Parse and segment structured messages and db-parser: Process message content with a pattern database (patterndb) Note that the unset operation completely deletes any previous value of the field that you apply it on.

NOTE: Hard macros cannot be modified, so they will not be overwritten. For details on the hard and soft macros, see Hard versus soft macros.

Use the following syntax:

Declaration

rewrite <name_of_the_rule> {
    unset(value("<field-name>"));
};

Example: Unsetting a message field

The following example unsets the HOST field of the message.

rewrite r_rewrite_unset{
    unset(value("HOST"));
};

To unset a group of fields, you can use the groupunset() rewrite rule.

Declaration of group unset

rewrite <name_of_the_rule> {
    groupunset(values("<expression-for-field-names>"));
};

Example: Unsetting a group of fields

The following rule clears all SDATA fields:

rewrite r_rewrite_unset_SDATA{
    groupunset(values(".SDATA.*"));
};

Updated: