Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Failed to remove lines from log files before index...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to remove few lines from log files before indexing using SEDCMD command in props.conf.
We are using universal forwarder and we have only one Splunk Enterprise server.
Search and Index are both installed in that Splunk Enterprise server.
For testing purpose we have written the below command in props.conf (D:\SPLUNK\etc\apps\search\local) in the Splunk Enterprise server.
[sourcetype]
SEDCMD-alter=s/Lastline//g
We were expecting that the word 'Lastline' will not appear in the search but it didn't work.
Could you please suggest anyway to solve this.
Many thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data that you can search in Splunk with the correct sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created a sourcetype named lastline in SPLUNK_HOME/etc/apps/search/local/props.conf
[lastline]
SEDCMD-alter=s/Lastline//g
Restarted Splunk
Created a dummy file:
Tiago Lastline TiagoTiagog
Lastline asdkas dasds asd a12 e122wqd 12e ` 2
Lastline
Last wdqas
asdasd Lastline
And the result was the expected
Tiago TiagoTiagog
asdkas dasds asd a12 e122wqd 12e ` 2
Last wdqas
asdasd
If you have restarted splunk after creating the sourcetype in props and your events have the sourcetype "lastline" and still you don't have the expected results:
Do this $SPLUNK_HOME/bin/splunk btool props list -- debug
Find your sourcetype and check if your SEDCMD is there in the Stanza
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tiagofbmm,
Sorry for the late reply.
Yes, your information is correct and it is working properly.
I want exactly this kind of solutions.
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data that you can search in Splunk with the correct sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. I can search it in Splunk with the correct sourcetype
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
