https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315786#M59092 <P>Hello</P> <P>The problem is that the 2 rules are for index time.<BR /> The first transform will apply renaming the sourcetype original to new(AMBER_RAW:METRIC).<BR /> But the event will not be parsed a second time (at index time) for the new sourcetype rules. Therefore the SEDCMD will never happen.</P> <P><STRONG>NOTE : at search time. the new sourcetype rules may stilll apply ( by example a field extraction)</STRONG><BR /> so you will need to use sedcmd at search time like this</P> <PRE><CODE>index=&lt;your_index&gt; sourcetype=AMBER_RAW:METRIC | rex mode=sed "s/^.*?{/{/1" </CODE></PRE> <P>As per below doc <BR /> <A href="http://wiki.splunk.com/Community:HowIndexingWorks">http://wiki.splunk.com/Community:HowIndexingWorks</A><BR /> Both SEDCMD and transforms.conf occurs during 'Typing' queue process and since data is coming for <CODE>original sourcetype</CODE> so configuration for <CODE>original sourcetype</CODE> will take effect and configuration (index-time) for <CODE>new sourcetype(AMBER_RAW:METRIC )</CODE> will never take place.</P> <P>let me know if this helps!</P> Fri, 06 Apr 2018 12:28:43 GMT mayurr98 2018-04-06T12:28:43Z https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315785#M59091 <P>Hi</P> <P>I am taking in data and making a new source type, so i need to use a transform for this.<BR /> The issue is when i use this i cant seem to use SEDCMD to trim some of the lines i am taking in.</P> <P>Props.conf<BR /> [AMBER_RAW:METRIC]<BR /> SEDCMD-remove_header = s/^.*?{/{/1<BR /> TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N<BR /> TIME_PREFIX = \"ts\":\"<BR /> INDEXED_EXTRACTIONS = JSON</P> <P>Transform.conf<BR /> [AMBER_RAW_json_METRIC]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = {"v":"1.0\"<BR /> FORMAT = sourcetype::AMBER_RAW:METRIC</P> <P>If i don't use the Transform the SEDCMD-remove_header works, but in the case i need to, for another issue i am having.</P> <P>Any ideas, how to get around this?<BR /> Example of the data, but i have it working if i take it in difectly. However i have to use a transform in this case as i have multiple sourcetype in one files.</P> <PRE><CODE>2018-01-10 15:50:03 [metrics-application-1-thread-1] INFO METRIC:41 - {"v":"1.0","t":"MTR","ts":"2018-01-10T15:50:03.704Z","h":"mx7654vm","pid":12483,"src":{"c":"authn-app","d":"auth"},"mtr":{"counters":{"process":{"cpu":{"time_cumulated_s":35},"memory":{"gc":{"ps_marksweep":{"total_duration_ms":814},"ps_scavenge":{"total_duration_ms":539}}}}},"gauges":{"com.murex.serviceframework.rest.datalayer.DataSourceMetrics.datasources.authn-authn-app-1":{"availableConnectionCount":1,"borrowedConnectionCount":0,"currPoolSize":1,"maxPoolSize":50,"poolName":"authn-authn-app-1"},"process":{"cpu":{"percentage":0.0014801778579070887},"files":{"open_files":37},"memory":{"jvm":{"heap":{"committed_kb":195072,"used_kb":111654},"nonheap":{"committed_kb":91456,"used_kb":89829}},"rss_kb":32880864,"vsz_kb":2295108}}},"histograms":{},"meters":{},"timers":{"process":{"memory":{"gc":{"ps_marksweep":{"events":{"count":1,"rate_1m":0.010541994097562058,"rate_5m":0.0030413993186727347,"rate_15m":0.001077675326868502,"rate_mean":0.023586525047214212},"duration_ms":{"max":620.0,"mean":620.0,"median":620.0,"min":620.0,"percentile_75":620.0,"percentile_95":620.0,"percentile_98":620.0,"percentile_99":620.0,"percentile_999":620.0,"standard_deviation":0.0}},"ps_scavenge":{"events":{"count":32,"rate_1m":1.3370365746688775,"rate_5m":1.8460208181687348,"rate_15m":1.9473463934310977,"rate_mean":0.7547234936660224},"duration_ms":{"max":18.0,"mean":9.125,"median":6.5,"min":3.0,"percentile_75":13.0,"percentile_95":18.0,"percentile_98":18.0,"percentile_99":18.0,"percentile_999":18.0,"standard_deviation":5.014495118187132}}}}}}}} </CODE></PRE> <P>Thanks, in advance<BR /> Rob</P> Tue, 29 Sep 2020 18:53:48 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315785#M59091 robertlynch2020 2020-09-29T18:53:48Z https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315786#M59092 <P>Hello</P> <P>The problem is that the 2 rules are for index time.<BR /> The first transform will apply renaming the sourcetype original to new(AMBER_RAW:METRIC).<BR /> But the event will not be parsed a second time (at index time) for the new sourcetype rules. Therefore the SEDCMD will never happen.</P> <P><STRONG>NOTE : at search time. the new sourcetype rules may stilll apply ( by example a field extraction)</STRONG><BR /> so you will need to use sedcmd at search time like this</P> <PRE><CODE>index=&lt;your_index&gt; sourcetype=AMBER_RAW:METRIC | rex mode=sed "s/^.*?{/{/1" </CODE></PRE> <P>As per below doc <BR /> <A href="http://wiki.splunk.com/Community:HowIndexingWorks">http://wiki.splunk.com/Community:HowIndexingWorks</A><BR /> Both SEDCMD and transforms.conf occurs during 'Typing' queue process and since data is coming for <CODE>original sourcetype</CODE> so configuration for <CODE>original sourcetype</CODE> will take effect and configuration (index-time) for <CODE>new sourcetype(AMBER_RAW:METRIC )</CODE> will never take place.</P> <P>let me know if this helps!</P> Fri, 06 Apr 2018 12:28:43 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315786#M59092 mayurr98 2018-04-06T12:28:43Z https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315787#M59093 <P>Hi </P> <P>Thanks. Do you think i can move it from one transform to another so i can take out this data?</P> <P>Is there anything that can be done to help in this case.</P> <P>I need to push this data into a datamodel this is why i need this.</P> <P>Thanks<BR /> Robert</P> Fri, 06 Apr 2018 13:16:24 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315787#M59093 robertlynch2020 2018-04-06T13:16:24Z https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315788#M59094 <P>again it will conflict. well what you can do is try applying sedcmd and transforms on the original sourcetype and see what happens.this should work as you are applying configuration on the original sourcetype.</P> Fri, 06 Apr 2018 13:23:31 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315788#M59094 mayurr98 2018-04-06T13:23:31Z https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315789#M59095 <P>@mayurr98 is correct about the order of operations in the indexing pipeline. To get around this, you could use <CODE>CLONE_SOURCETYPE</CODE> in transforms.conf. According to the <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf">documentation</A>, "The cloned event will be further processed by index-time transforms and SEDCMD expressions according to its new sourcetype."</P> Fri, 06 Apr 2018 14:47:58 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315789#M59095 jconger 2018-04-06T14:47:58Z https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315790#M59096 <P>hi <BR /> Thanks for this this worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 09 Apr 2018 21:22:05 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315790#M59096 robertlynch2020 2018-04-09T21:22:05Z https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315791#M59097 <P>HI </P> <P>Thanks for this, the first answer did work for me. But this is good to know for the future.</P> <P>Cheers<BR /> Robert</P> Mon, 09 Apr 2018 21:22:56 GMT https://community.splunk.com/t5/Getting-Data-In/Using-a-transform-i-cant-use-SEDCMD/m-p/315791#M59097 robertlynch2020 2018-04-09T21:22:56Z