topic Re: sedcmd not being applied in Getting Data In

sedcmd not being applied

ajs07635 — Thu, 03 Feb 2011 23:20:49 GMT

I am trying to remove the extra description text that gets appended to windows 2k8 logs using SEDCMD in props.conf. However, I can't seem to get it to work, no matter what i use as my expression. I am receiving events from a light forwarder on a windows box that is pulling the events using WMI from our domain controllers. The indexer is actually a linux box.

This is what I have in props.conf

[source::WMI:WinEventLog:Security]
SEDCMD-remwinstr = s/(?ism)This event is generated.*$//g

Nothing is being removed. I've tried all kinds of variations on both the stanza name as well as the regular expression itself. I've tried just [WMI:WinEventLog:Security], [WMI:WinEventLog*], [WMI*], and even the name of one of the hosts: [host::<hostname>]

I've also tried different variations of the regex. Even something like this doesn't do any replacement:

SEDCMD-remwinstr = s/(?ism)This/That/g

I've tried with and without (single or double) quotes around the entire part after the = as well. Thoughts?

Re: sedcmd not being applied

ftk — Fri, 04 Feb 2011 00:15:38 GMT

Have you restarted Splunk after putting your SEDCMD stanza in place?

Re: sedcmd not being applied

ajs07635 — Fri, 04 Feb 2011 00:23:19 GMT

yep. every time I make a change, I restart splunk through the manager UI.

Re: sedcmd not being applied

gkanapathy — Fri, 04 Feb 2011 04:58:30 GMT

The problem is that the source of WMI:WinEventLog:Security is not actually set to WMI:WinEventLog:Security at the time that the rule is being matched. There is in fact a TRANSFORM that occurs at index time that sets the source to the value you see. Since it's not yet set, the [source::] stanza rule you have does not match against the data.

You'd actually a stanza to match against sourcetype [wmi] to have it take effect. The problem here is that this will hit all WMI data, not just the Security Windows Event Log. That might be okay, though there will be a (small) performance cost.

Re: sedcmd not being applied

ajs07635 — Fri, 04 Feb 2011 05:36:42 GMT

That worked. I will have to watch the performance as we will be looking at several million events a day just from all the DCs. Is it not possible to specify a sourcetype of [wmi:wineventlog:security] as that is what is shown in the search results, or is the sourcetype changed via a transform as well?

Re: sedcmd not being applied

gkanapathy — Fri, 04 Feb 2011 09:29:49 GMT

Same problem with sourcetype I'm afraid. It is transformed at the same time as source. On the other hand, several million events per day isn't that much for a standard Splunk server to handle.

Re: sedcmd not being applied

twinspop — Thu, 06 Mar 2014 00:04:12 GMT

Just came across this post. Is there a ref somewhere for what the initial source/sourcetypes are? Can I find it in a forwarder log?