Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I test SECCMD from command line using oneshot?

markconlin
Path Finder
‎08-04-2017 02:23 PM

I am attempting to test a SEDCMD for event manipulation and it does not appear this is possible via oneshot?
When I try to test SEDCMD in my props.conf it never appears to work.

props.conf

[testst]
SEDCMD-xml = s/"xml":/"chicken":/

my command line attempt to test it

$./splunk add oneshot test.json -sourcetype testst -index mytest

my test event

{ "xml":"<Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:awsse=\"http://xml.chicken.com/2010/06/Session_v3\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><Header><To>http://www.w3.org/2005/08/addressing/anonymous</To><From><Address>..... AND SO ON BIG GIANT NASTEY XML",
  "other3":"even more stuff"}

proof this sed works on the command line

$ cat fakeevent.json | sed -e 's/"xml":/"chicken":/'
    { "chicken":"<Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:awsse=\"http://xml.chicken.com/2010/06/Session_v3\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><Header><To>http://www.w3.org/2005/08/addressing/anonymous</To><From><Address>..... AND SO ON BIG GIANT NASTEY XML", "other3":"even more stuff"}
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

markconlin
Path Finder
‎08-04-2017 02:58 PM

Ah - I forgot to restart. All is well. oneshot will test sourcetype SEDCMD lines in props.conf IF you remember to restart.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

anwarmian
Communicator
‎09-07-2024 09:30 AM

Correct.  We have to make sure that changing the configs via cli editor we need to restart the splunkd service for the configs to take effect.

0 Karma
Reply
Solved! Jump to solution
Solution

markconlin
Path Finder
‎08-04-2017 02:58 PM

Ah - I forgot to restart. All is well. oneshot will test sourcetype SEDCMD lines in props.conf IF you remember to restart.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...