topic Re: Can I use SED in configuration files? in Getting Data In

Can I use SED in configuration files?

maxdessureault — Mon, 28 Sep 2020 14:41:40 GMT

Hi all,

I am fairly new to Splunk and have been working on the following search time field extraction to grab windows formatted filenames from various different custom logs and was wondering if and how somehting like this can be made to automatically extract fields for a giver app. I believe this will require work in props.conf and use of SED scripts but was wondering if anyone could point me into the right direction as I wouldn't know where to start. Any help would be greatly appreciate:

| rex "(?(( |TrustedInsta|//)+[-a-zA-Z0-9)/(. ]+.(exe|dll|bat)$))" | rex mode=sed field=extractfilename "s/^[a-zA-Z0-9][ ]+ //" | rex mode=sed field=extract_filename "s/^ *//" | rex mode=sed field=extract_filename "s/^TrustedInsta//" | rex "(?(\+[a-zA-Z0-9]+.(exe|dll|bat)\"))" | eval FILE=mvappend(extractfilename, " ", extractfilename2)

Re: Can I use SED in configuration files?

rturk — Sat, 31 Aug 2013 01:34:03 GMT

Can you provide a sample event?

Re: Can I use SED in configuration files?

maxdessureault — Sat, 31 Aug 2013 01:53:56 GMT

Sure here are a few different one which the above work with

07/13/2009 09:41 PM 169,472 NT SERVICE\TrustedInstaPortableDeviceWiaCompat.dll

0x00000000fd1b0000 0x51000 C:\WINDOWS\system32\msv10.DLL

The field extraction itself is working to my liking. My problem is getting the series of SED and REX into the config files as to automatically extract the FILE field when accessing a particular app or whatnot.

Thanks

Re: Can I use SED in configuration files?

davecroto — Sat, 31 Aug 2013 13:09:47 GMT

sedcmd in props.conf

here is an example:

[your sourcetype]

sedcmd-extractfilename = s\/^[a-zA-Z0-9][ ]+ \/\/g

This of course if your regex is working properly.

Re: Can I use SED in configuration files?

maxdessureault — Sun, 01 Sep 2013 02:42:43 GMT

Ah great actually all I needed to know my stuff is all good now thanks for the nudge.

Re: Can I use SED in configuration files?

imanpoeiri — Tue, 29 Sep 2020 06:41:21 GMT

Revive old post.

I have lines of data with below values

WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62364588:
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62645015:
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62625062:

I expect results like below:
WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::

And I use sed stanza like below
props.conf
[source::C:\Program Files\Splunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g

but not working!

Appreciate if any experts can help me here.

Re: Can I use SED in configuration files?

imanpoeiri — Tue, 29 Sep 2020 06:46:16 GMT

Fixed!

[source::C:Program FilesSplunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g

[Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = s/LINE_ID_NOT_FOUND:[0-9]*/LINE_ID_NOT_FOUND/g