- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Failed to remove lines from log files before index...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to remove few lines from log files before indexing using SEDCMD command in props.conf.
We are using universal forwarder and we have only one Splunk Enterprise server.
Search and Index are both installed in that Splunk Enterprise server.
For testing purpose we have written the below command in props.conf (D:\SPLUNK\etc\apps\search\local) in the Splunk Enterprise server.
[sourcetype]
SEDCMD-alter=s/Lastline//g
We were expecting that the word 'Lastline' will not appear in the search but it didn't work.
Could you please suggest anyway to solve this.
Many thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data that you can search in Splunk with the correct sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created a sourcetype named lastline in SPLUNK_HOME/etc/apps/search/local/props.conf
[lastline]
SEDCMD-alter=s/Lastline//g
Restarted Splunk
Created a dummy file:
Tiago Lastline TiagoTiagog
Lastline asdkas dasds asd a12 e122wqd 12e ` 2
Lastline
Last wdqas
asdasd Lastline
And the result was the expected
Tiago TiagoTiagog
asdkas dasds asd a12 e122wqd 12e ` 2
Last wdqas
asdasd
If you have restarted splunk after creating the sourcetype in props and your events have the sourcetype "lastline" and still you don't have the expected results:
Do this $SPLUNK_HOME/bin/splunk btool props list -- debug
Find your sourcetype and check if your SEDCMD is there in the Stanza
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tiagofbmm,
Sorry for the late reply.
Yes, your information is correct and it is working properly.
I want exactly this kind of solutions.
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data that you can search in Splunk with the correct sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. I can search it in Splunk with the correct sourcetype
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
