- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Can I run two SEDCMDs together in one
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I run two SEDCMDs together in one
I see this article:
http://splunk-base.splunk.com/answers/46024/multiple-sedcmds
But I also see this in the documentation for props.conf:
A sed script is a space-separated list of sed commands. Currently the following subset of
sed commands is supported:
* replace (s) and character substitution (y).
So I have these ridiculous Microsoft DNS servers that give you FQDNs that look like this:
(8)testserv(7)company(3)com(0)
Can I put this in props.conf for the sourcetype to remove the (0) and convert the others to dots?
SEDCMD-win_dns = s/(0)// s/(\d+)/./g
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nuts - posting eliminated a bunch of the backslashes I used for escaping the parens and the d
Grrr. Anyway, stringing the sedcmds together and trying to do two on separate lines didn't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I tested and using this syntax does not work:
SEDCMD-win_dns = s/(0)// s/(\d+)/./g
It just did nothing.
Putting in in like this:
SEDCMD-win_dns = s/(0)//
SEDCMD-win_dns2 = s/(\d+)/./g
resulted in extra lines, so that was a failure. I guess I'm beat and I need to live with extra periods, then just get rid of them in the field extraction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to be clear, the "ridiculous" part of those parenthetical digits is actually an artifact of the way the DNS query / reply is encoded in the packet. It represents the number of bytes in the following string. The (0) means "the end".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you can put multiple s commands in a single line, but you could re-write your regular expression like this:
SEDCMD-win_dns = s/\(\d+\)(\S+)\(\d+\)(\S+)\(\d+\)(\S+)\(\0\)/\1.\2.\3/g
This finds the whole pattern and replaces it all at once. I think it is safer than looking for it piecemeal, which might match things you didn't intend. A lot of the \ are to escape the () which have special meaning in regexes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I actually did have the backslash characters in my original post, but they didn't get past the rendering.
The pattern does not necessarily have only three levels. Local addresses commonly have five, and some have only one, so the regex needs to be more accommodating. That's why the two commands in one line would be attractive.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
