I see this article:
http://splunk-base.splunk.com/answers/46024/multiple-sedcmds
But I also see this in the documentation for props.conf:
A sed script is a space-separated list of sed commands. Currently the following subset of
sed commands is supported:
* replace (s) and character substitution (y).
So I have these ridiculous Microsoft DNS servers that give you FQDNs that look like this:
(8)testserv(7)company(3)com(0)
Can I put this in props.conf for the sourcetype to remove the (0) and convert the others to dots?
SEDCMD-win_dns = s/(0)// s/(\d+)/./g
Nuts - posting eliminated a bunch of the backslashes I used for escaping the parens and the d
Grrr. Anyway, stringing the sedcmds together and trying to do two on separate lines didn't work
So I tested and using this syntax does not work:
SEDCMD-win_dns = s/(0)// s/(\d+)/./g
Putting in in like this:
SEDCMD-win_dns = s/(0)//
SEDCMD-win_dns2 = s/(\d+)/./g
Just to be clear, the "ridiculous" part of those parenthetical digits is actually an artifact of the way the DNS query / reply is encoded in the packet. It represents the number of bytes in the following string. The (0) means "the end".
I don't think you can put multiple s
commands in a single line, but you could re-write your regular expression like this:
SEDCMD-win_dns = s/\(\d+\)(\S+)\(\d+\)(\S+)\(\d+\)(\S+)\(\0\)/\1.\2.\3/g
This finds the whole pattern and replaces it all at once. I think it is safer than looking for it piecemeal, which might match things you didn't intend. A lot of the \
are to escape the () which have special meaning in regexes.
Thanks. I actually did have the backslash characters in my original post, but they didn't get past the rendering.
The pattern does not necessarily have only three levels. Local addresses commonly have five, and some have only one, so the regex needs to be more accommodating. That's why the two commands in one line would be attractive.