Getting Data In

Failed to remove lines from log files before indexing using SEDCMD command in props.conf

saibal6
Path Finder

We are trying to remove few lines from log files before indexing using SEDCMD command in props.conf.
We are using universal forwarder and we have only one Splunk Enterprise server.
Search and Index are both installed in that Splunk Enterprise server.
For testing purpose we have written the below command in props.conf (D:\SPLUNK\etc\apps\search\local) in the Splunk Enterprise server.

[sourcetype]
SEDCMD-alter=s/Lastline//g

We were expecting that the word 'Lastline' will not appear in the search but it didn't work.

Could you please suggest anyway to solve this.

Many thanks

0 Karma
1 Solution

tiagofbmm
Influencer

Is the data that you can search in Splunk with the correct sourcetype?

View solution in original post

0 Karma

tiagofbmm
Influencer

I created a sourcetype named lastline in SPLUNK_HOME/etc/apps/search/local/props.conf

[lastline]
SEDCMD-alter=s/Lastline//g

Restarted Splunk

Created a dummy file:

Tiago Lastline TiagoTiagog 
Lastline asdkas dasds asd a12 e122wqd 12e ` 2 
Lastline
Last    wdqas
asdasd Lastline

And the result was the expected

Tiago  TiagoTiagog 
 asdkas dasds asd a12 e122wqd 12e ` 2 

Last    wdqas
asdasd 

If you have restarted splunk after creating the sourcetype in props and your events have the sourcetype "lastline" and still you don't have the expected results:

Do this $SPLUNK_HOME/bin/splunk btool props list -- debug 

Find your sourcetype and check if your SEDCMD is there in the Stanza

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

saibal6
Path Finder

Hi tiagofbmm,

Sorry for the late reply.
Yes, your information is correct and it is working properly.
I want exactly this kind of solutions.

Thanks a lot.

0 Karma

tiagofbmm
Influencer

Is the data that you can search in Splunk with the correct sourcetype?

0 Karma

saibal6
Path Finder

Yes. I can search it in Splunk with the correct sourcetype

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...