topic Re: Failed to remove lines from log files before indexing using SEDCMD command in props.conf in Getting Data In

Failed to remove lines from log files before indexing using SEDCMD command in props.conf

saibal6 — Fri, 16 Mar 2018 11:11:28 GMT

We are trying to remove few lines from log files before indexing using SEDCMD command in props.conf.
We are using universal forwarder and we have only one Splunk Enterprise server.
Search and Index are both installed in that Splunk Enterprise server.
For testing purpose we have written the below command in props.conf (D:\SPLUNK\etc\apps\search\local) in the Splunk Enterprise server.

[sourcetype]
SEDCMD-alter=s/Lastline//g

We were expecting that the word 'Lastline' will not appear in the search but it didn't work.

Could you please suggest anyway to solve this.

Many thanks

Re: Failed to remove lines from log files before indexing using SEDCMD command in props.conf

tiagofbmm — Fri, 16 Mar 2018 11:23:48 GMT

Is the data that you can search in Splunk with the correct sourcetype?

Re: Failed to remove lines from log files before indexing using SEDCMD command in props.conf

saibal6 — Fri, 16 Mar 2018 12:06:19 GMT

Yes. I can search it in Splunk with the correct sourcetype

Re: Failed to remove lines from log files before indexing using SEDCMD command in props.conf

tiagofbmm — Fri, 16 Mar 2018 12:15:15 GMT

I created a sourcetype named lastline in SPLUNK_HOME/etc/apps/search/local/props.conf

[lastline]
SEDCMD-alter=s/Lastline//g

Restarted Splunk

Created a dummy file:

Tiago Lastline TiagoTiagog 
Lastline asdkas dasds asd a12 e122wqd 12e ` 2 
Lastline
Last    wdqas
asdasd Lastline

And the result was the expected

Tiago  TiagoTiagog 
 asdkas dasds asd a12 e122wqd 12e ` 2 

Last    wdqas
asdasd

If you have restarted splunk after creating the sourcetype in props and your events have the sourcetype "lastline" and still you don't have the expected results:

Do this $SPLUNK_HOME/bin/splunk btool props list -- debug

Find your sourcetype and check if your SEDCMD is there in the Stanza

Re: Failed to remove lines from log files before indexing using SEDCMD command in props.conf

tiagofbmm — Wed, 21 Mar 2018 17:19:33 GMT

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

Re: Failed to remove lines from log files before indexing using SEDCMD command in props.conf

saibal6 — Thu, 22 Mar 2018 12:14:45 GMT

Hi tiagofbmm,

Sorry for the late reply.
Yes, your information is correct and it is working properly.
I want exactly this kind of solutions.

Thanks a lot.