All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with SEDCMD in Props.conf

dfurtaw
Path Finder
‎06-24-2020 07:12 AM

Hi All,

I'm banging my head against a wall attempting to figure out why a SEDCMD inside of a props.conf on a UF isn't wanting to strip out the value I tell it to. We are wanting to strip out a hashed value from a log that is inside of a bracket (example below), as well as the brackets, with the SEDCMD. I am able to successfully test this command inside of the searchhead, but when I place it inside of the props.conf on the UF, I don't see it successfully implemented. I'm sure I'm missing something pretty simple. I've tried quite a few variations of this and no luck. Could anyone help me or possibly give me a hint as to what I could be doing wrong? Thank you all.

| rex mode=sed field=_raw "s/\[ecid: .+?\]//g"

[log4j]
SEDCMD-random=s/\[ecid: .+?\]//g

Sourcetype: log4j

[2020-06-24T10:02:08.590-04:00] [Server] [NOTIFICATION] [] [] [tid: 394025] [userId: <anonymous>] [ecid: 3956b675-4930-42d5-9e7d-94ca9013d2ea-0037ac42,0:26:74:38:2010:52:52:71:38] [APP: oraclediagent2] [partition-name: DOMAIN] [tenant-name: GLOBAL] [oracle.odi.runtime.MrepExtId: 38392028449]

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 10:36 AM

Try this SEDCMD on your UF.

SEDCMD-ecid = s/(.*?)\[ecid: .+?\](.*)/\1\2/
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 07:20 AM
Universal Forwarders don't support SEDCMD. Put that props.conf setting on your indexers.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dfurtaw
Path Finder
‎06-24-2020 07:27 AM

Thanks for the reply Rich! 

I recall in the past (6 or so months ago), I was able to place a SEDCMD in the props on a UF and saw the stripping of data. Did this change recently? By placing it in a props on the indexers, will this allow the data to be stripped BEFORE it enters the licensing phase? We are hoping to remove this large amount of unnecessary data before it hits this stage to limit ingestion.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 08:33 AM
Are you sure it was a UF you used in the past and not a heavy forwarder (HF)? HFs support SEDCMD.
Yes, using SEDCMD on the indexers strips data before it is counted against your license.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dfurtaw
Path Finder
‎06-24-2020 08:55 AM

Awesome. Thanks!

 

Yes, it was on the UF of our Syslog relay farm. It was a SEDCMD that obfuscated some sensitive data. Host -> Syslog -> Splunk Cloud

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 10:36 AM

Try this SEDCMD on your UF.

SEDCMD-ecid = s/(.*?)\[ecid: .+?\](.*)/\1\2/
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dfurtaw
Path Finder
‎07-22-2020 12:09 PM

A little late on my reply, but it worked. Thanks Rich! I guess in some cases, we can SED on the UF.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...