topic Re: how to sedcmd?? in Getting Data In

how to sedcmd??

jihoon — Tue, 29 Sep 2020 11:24:10 GMT

In the form of logs is as follows

SNMPv2-SMI::mib-"2.2.1.2.1" = "lo" SNMPv2-SMI::mib-"2.2.1.2.2" = "eth0" SNMPv2-SMI::mib-"2.2.1.2.3" = "eth1" ~~~~~

props.conf setting is as follows.

[snmp_test]
sedcmd=s/SNMPv2::mib-2."2.2.1.2. ￦d+￦"//g s/" //g"
report-snmp_del=snmp_del

transforms.conf setting is as follows.
[snmp_del]
DELIMS="="
FIELDS=a1,a2,a3,........a10

I want this result.

a1="lo"
a2="eth0"
a3="eth1"

But, restart splunk this error.

Invalid key in stanza [snmp_test] in ~~/props.conf, line 123: sedcmd (value: .......)

How do you fix it?

thanks!!

Re: how to sedcmd??

lquinn — Tue, 11 Oct 2016 01:44:53 GMT

Are you sure that your question is formatted correctly? Your sedcmd regex looks a little odd ...

Re: how to sedcmd??

hunters_splunk — Tue, 11 Oct 2016 02:07:28 GMT

Hi Jihoon,

Please note that SEDCMD is used only to mask or delete raw data and is configured in props.conf.

For example, if you want to hide the first 5 digits of an account number in the vendor_sales.log source:

[22/Oct/2014:00:46:27] VendorID=9112 Code=B AcctID=4902636948
[22/Oct/2014:00:48:40] VendorID=1004 Code=J AcctID=4236256056
[22/Oct/2014:00:50:02] VendorID=5034 Code=H AcctID=8462999288

You configure the following in props.conf:
[source::.../vendor_sales.log]
SEDCMD-1acct = s/AcctID=\d{5}(\d{5})/AcctID=xxxxx\1/g

SEDCMD provides "search and replace" using regular expressions and substitutions and in the example, \1 indicates the captured group.

Hope this helps. Thanks!
Hunter Shen

Re: how to sedcmd??

richgalloway — Tue, 11 Oct 2016 02:10:41 GMT

Your regex string doesn't match the data. Try

sedcmd=s/SNMPv2-SMI::mib-"2\.2\.1\.2\.\d+"//g

Re: how to sedcmd??

woodcock — Fri, 31 Mar 2017 21:49:44 GMT

The problem is that SEDCMD and REPORT must be in ALL-CAPS.
Another problem is that SEDCMD must have a unique (but arbitrary) suffix, like this: SEDCMD-arbitraryname =