Solved: Can I test SECCMD from command line using oneshot?

markconlin · ‎08-04-2017

I am attempting to test a SEDCMD for event manipulation and it does not appear this is possible via oneshot?
When I try to test SEDCMD in my props.conf it never appears to work.

props.conf

[testst]
SEDCMD-xml = s/"xml":/"chicken":/

my command line attempt to test it

$./splunk add oneshot test.json -sourcetype testst -index mytest

my test event

{ "xml":"<Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:awsse=\"http://xml.chicken.com/2010/06/Session_v3\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><Header><To>http://www.w3.org/2005/08/addressing/anonymous</To><From><Address>..... AND SO ON BIG GIANT NASTEY XML",
  "other3":"even more stuff"}

proof this sed works on the command line

$ cat fakeevent.json | sed -e 's/"xml":/"chicken":/'
    { "chicken":"<Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:awsse=\"http://xml.chicken.com/2010/06/Session_v3\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><Header><To>http://www.w3.org/2005/08/addressing/anonymous</To><From><Address>..... AND SO ON BIG GIANT NASTEY XML", "other3":"even more stuff"}

markconlin · ‎08-04-2017

Ah - I forgot to restart. All is well. oneshot will test sourcetype SEDCMD lines in props.conf IF you remember to restart.

View solution in original post

anwarmian · ‎09-07-2024

Correct. We have to make sure that changing the configs via cli editor we need to restart the splunkd service for the configs to take effect.

markconlin · ‎08-04-2017

Ah - I forgot to restart. All is well. oneshot will test sourcetype SEDCMD lines in props.conf IF you remember to restart.

Can I test SECCMD from command line using oneshot?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector