https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255633#M49093 <P>Okay so I seem to have got the logic, strange its not working. maybe we can fix that.<BR /> Bu there is a different catch.</P> <P>Every time the doamin name may not be the given format <BR /> (1)abc(2)def(3)ghif(4)</P> <P>It cane be any of below 2 as well</P> <P>(1)abc(2)def(3)<BR /> (1)abc(2)def(3)ghif(4)xyz(5)</P> <P>Any thoughts on that</P> Mon, 05 Dec 2016 17:18:26 GMT Sayanta_Basak_I 2016-12-05T17:18:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255630#M49090 <P>We have the DNS debug logs coming onto the indexer.<BR /> Now each events will have an alpha-numeric pattern for 'domain name' in below fashion</P> <P><STRONG>(1)abc(2)def(3)ghif(4)</STRONG></P> <P>Now i want the <STRONG>highlighted</STRONG> data to be altered to a different format<BR /> I have used the below SEDCMD in props.conf but is does not seem to alter it as required</P> <PRE><CODE>SEDCMD-win_dns = s/\(\d+\)/./g </CODE></PRE> <P>Expectation: abc.def.ghif<BR /> Reality: .abc.def.ghif.</P> <P>so it basically replaces all the '(digits)' with '.' But i want the extreme-placed integers to be converted to white space character<BR /> Is that possible?</P> Mon, 05 Dec 2016 16:49:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255630#M49090 Sayanta_Basak_I 2016-12-05T16:49:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255631#M49091 <P>Try this</P> <PRE><CODE>SEDCMD-win_dns = s/(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))(\w+)(\(\d\))/\2\.\4\.\6/g </CODE></PRE> Mon, 05 Dec 2016 17:06:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255631#M49091 sundareshr 2016-12-05T17:06:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255632#M49092 <P>Hi,</P> <P>It does not seem to work!<BR /> Will it be possible for you to explain in short what logic you are using for this ?</P> <P>Regards<BR /> Sayanta B</P> Mon, 05 Dec 2016 17:12:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255632#M49092 Sayanta_Basak_I 2016-12-05T17:12:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255633#M49093 <P>Okay so I seem to have got the logic, strange its not working. maybe we can fix that.<BR /> Bu there is a different catch.</P> <P>Every time the doamin name may not be the given format <BR /> (1)abc(2)def(3)ghif(4)</P> <P>It cane be any of below 2 as well</P> <P>(1)abc(2)def(3)<BR /> (1)abc(2)def(3)ghif(4)xyz(5)</P> <P>Any thoughts on that</P> Mon, 05 Dec 2016 17:18:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255633#M49093 Sayanta_Basak_I 2016-12-05T17:18:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255634#M49094 <P>In that case, try three SEDCMD</P> <P>SEDCMD-remove_parens_num = s/((\d))/./g<BR /> SEDCMD-remove_first_period = s/^(.)//g<BR /> SEDCMD-remove_last_period = s/(.)$//g</P> Tue, 29 Sep 2020 12:01:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255634#M49094 sundareshr 2020-09-29T12:01:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255635#M49095 <P>I have the same issue with MS Active Directory DNS server log format. Does not work. No change at all. I am desperate.</P> Tue, 14 Feb 2017 19:24:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255635#M49095 tomasmoser 2017-02-14T19:24:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255636#M49096 <P>Ask in a separate/new question and I'd be happy to help you </P> Tue, 14 Feb 2017 19:32:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255636#M49096 skoelpin 2017-02-14T19:32:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255637#M49097 <P>I need to solve the same issue as in this threat - regardin MS DNS log format.</P> <P>I have events like this:<BR /> 1. 2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A (5)h42-m(3)sec(3)lab(0)</P> <P>The problem is with "(5)h42-m(3)sec(3)lab(0)"</P> <P>I need to get events to look like this:</P> <OL> <LI>2. 2017 20:19:22 0D80 PACKET 0000002548D040A0 UDP Rcv 10.17.81.32 7be7 Q [0001 D NOERROR] A h42-m.sec.lab</LI> </OL> <P>When I implemented your suggestion in props.conf<BR /> SEDCMD-remove_parens_num = s/((\d))/./g<BR /> SEDCMD-remove_first_period = s/^(.)//g<BR /> SEDCMD-remove_last_period = s/(.)$//g</P> <P>I stopped seeing my DNS logs in GUI permanently after restart of Splunk. I do not understand. If I removed your proposal, it's back again with wrong format.</P> <P>Any idea?</P> <P>Tomas</P> Tue, 29 Sep 2020 12:53:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255637#M49097 tomasmoser 2020-09-29T12:53:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255638#M49098 <P>I solved your question.. Go post a new question with a description and I will post your answer</P> Tue, 14 Feb 2017 20:31:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alter-data-using-SEDCMD-in-props-conf/m-p/255638#M49098 skoelpin 2017-02-14T20:31:18Z