Solved: Can I use SED in configuration files?

maxdessureault · ‎08-30-2013

Hi all,

I am fairly new to Splunk and have been working on the following search time field extraction to grab windows formatted filenames from various different custom logs and was wondering if and how somehting like this can be made to automatically extract fields for a giver app. I believe this will require work in props.conf and use of SED scripts but was wondering if anyone could point me into the right direction as I wouldn't know where to start. Any help would be greatly appreciate:

| rex "(?(( |TrustedInsta|//)+[-a-zA-Z0-9)/(. ]+.(exe|dll|bat)$))" | rex mode=sed field=extractfilename "s/^[a-zA-Z0-9][ ]+ //" | rex mode=sed field=extract_filename "s/^ *//" | rex mode=sed field=extract_filename "s/^TrustedInsta//" | rex "(?(\+[a-zA-Z0-9]+.(exe|dll|bat)\"))" | eval FILE=mvappend(extractfilename, " ", extractfilename2)

davecroto · ‎08-31-2013

sedcmd in props.conf

here is an example:

[your sourcetype]

sedcmd-extractfilename = s\/^[a-zA-Z0-9][ ]+ \/\/g

This of course if your regex is working properly.

View solution in original post

imanpoeiri · ‎07-15-2015

Revive old post.

I have lines of data with below values

WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62364588:
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62645015:
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62625062:

I expect results like below:
WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::

And I use sed stanza like below
props.conf
[source::C:\Program Files\Splunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g

but not working!

Appreciate if any experts can help me here.

imanpoeiri · ‎07-22-2015

Fixed!

[source::C:Program FilesSplunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g

[Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = s/LINE_ID_NOT_FOUND:[0-9]*/LINE_ID_NOT_FOUND/g

davecroto · ‎08-31-2013

sedcmd in props.conf

here is an example:

[your sourcetype]

sedcmd-extractfilename = s\/^[a-zA-Z0-9][ ]+ \/\/g

This of course if your regex is working properly.

maxdessureault · ‎08-31-2013

Ah great actually all I needed to know my stuff is all good now thanks for the nudge.

maxdessureault · ‎08-30-2013

Sure here are a few different one which the above work with

07/13/2009 09:41 PM 169,472 NT SERVICE\TrustedInstaPortableDeviceWiaCompat.dll

0x00000000fd1b0000 0x51000 C:\WINDOWS\system32\msv10.DLL

The field extraction itself is working to my liking. My problem is getting the series of SED and REX into the config files as to automatically extract the FILE field when accessing a particular app or whatnot.

Thanks

rturk · ‎08-30-2013

Can you provide a sample event?

Can I use SED in configuration files?

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...