Getting Data In

Can I use SED in configuration files?

maxdessureault
Engager

Hi all,

I am fairly new to Splunk and have been working on the following search time field extraction to grab windows formatted filenames from various different custom logs and was wondering if and how somehting like this can be made to automatically extract fields for a giver app. I believe this will require work in props.conf and use of SED scripts but was wondering if anyone could point me into the right direction as I wouldn't know where to start. Any help would be greatly appreciate:

| rex "(?(( |TrustedInsta|//)+[-a-zA-Z0-9)/(. ]+.(exe|dll|bat)$))" | rex mode=sed field=extractfilename "s/^[a-zA-Z0-9][ ]+ //" | rex mode=sed field=extract_filename "s/^ *//" | rex mode=sed field=extract_filename "s/^TrustedInsta//" | rex "(?(\+[a-zA-Z0-9]+.(exe|dll|bat)\"))" | eval FILE=mvappend(extractfilename, " ", extractfilename2)

Tags (1)
0 Karma
1 Solution

davecroto
Splunk Employee
Splunk Employee

sedcmd in props.conf

here is an example:

[your sourcetype]

sedcmd-extractfilename = s\/^[a-zA-Z0-9][ ]+ \/\/g

This of course if your regex is working properly.

View solution in original post

imanpoeiri
Communicator

Revive old post.

I have lines of data with below values

WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62364588:
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62645015:
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND:62625062:

I expect results like below:
WORK_ORD_NO,ACT_ID,ACT_NO,ACT_NM,STATUS_CD,LAST_UPDATE_DT,DELAY_REASON_DESC
AFP5850001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5849001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::
AFP5843001,3,0,Activity_A,DLY,1/7/2015 10:22,LINE_ID_NOT_FOUND::

And I use sed stanza like below
props.conf
[source::C:\Program Files\Splunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g

but not working!

Appreciate if any experts can help me here.

0 Karma

imanpoeiri
Communicator

Fixed!

[source::C:Program FilesSplunk/etc/apps/MySampleApp/samples/Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = -r s/LINE_ID_NOT_FOUND:([0-9]){8}/LINE_ID_NOT_FOUND/g

[Order_Activities.csv]
SEDCMD-LINE_ID_NOT_FOUND = s/LINE_ID_NOT_FOUND:[0-9]*/LINE_ID_NOT_FOUND/g

0 Karma

davecroto
Splunk Employee
Splunk Employee

sedcmd in props.conf

here is an example:

[your sourcetype]

sedcmd-extractfilename = s\/^[a-zA-Z0-9][ ]+ \/\/g

This of course if your regex is working properly.

maxdessureault
Engager

Ah great actually all I needed to know my stuff is all good now thanks for the nudge.

0 Karma

maxdessureault
Engager

Sure here are a few different one which the above work with

07/13/2009 09:41 PM 169,472 NT SERVICE\TrustedInstaPortableDeviceWiaCompat.dll

0x00000000fd1b0000 0x51000 C:\WINDOWS\system32\msv10.DLL

The field extraction itself is working to my liking. My problem is getting the series of SED and REX into the config files as to automatically extract the FILE field when accessing a particular app or whatnot.

Thanks

0 Karma

rturk
Builder

Can you provide a sample event?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...