We are trying to remove few lines from log files before indexing using SEDCMD command in props.conf.
We are using universal forwarder and we have only one Splunk Enterprise server.
Search and Index are both installed in that Splunk Enterprise server.
For testing purpose we have written the below command in props.conf (D:\SPLUNK\etc\apps\search\local) in the Splunk Enterprise server.
We were expecting that the word 'Lastline' will not appear in the search but it didn't work.
Could you please suggest anyway to solve this.
I created a sourcetype named lastline in SPLUNK_HOME/etc/apps/search/local/props.conf
Created a dummy file:
Tiago Lastline TiagoTiagog Lastline asdkas dasds asd a12 e122wqd 12e ` 2 Lastline Last wdqas asdasd Lastline
And the result was the expected
Tiago TiagoTiagog asdkas dasds asd a12 e122wqd 12e ` 2 Last wdqas asdasd
If you have restarted splunk after creating the sourcetype in props and your events have the sourcetype "lastline" and still you don't have the expected results:
Do this $SPLUNK_HOME/bin/splunk btool props list -- debug
Find your sourcetype and check if your SEDCMD is there in the Stanza