Hi guys,

I am having a really hard time figuring out how to get the sedcmd to work in props.conf. I'd appreciate any help you can lend. Here is an example of my config:

PROPS.CONF

[source::.../syslog_logs/*srx*/user.info.log]
SEDCMD-removeunwanted1 = s/\s(src-nat-rule-name=\"[^\"]+\")//
SEDCMD-removeunwanted2 = s/\s(source-zone-name=\"[^\"]+\")//
SEDCMD-removeunwanted3 = s/\s(destination-zone-name=\"[^\"]+\")//
SEDCMD-alter1 = s/destination/dst/g
SEDCMD-alter2 = s/source/src/g
SEDCMD-alter3 = s/address/ip/g
SEDCMD-alter4 = 's/protocol-id="17"/UDP/'
SEDCMD-alter5 = 's/protocol-id="6"/TCP/'
SEDCMD-alter6 = 's/protocol-id="1"/ICMP/

The point of this is to simplify our logs from Juniper SRXs. When I do a "--debug props list | grep SEDCMD", I see the commands listed. Not sure what I'm doing incorrectly, but have a couple of questions in addition to any advice you guys have.

1.) Does this props.conf have to be configured on the forwarder or the indexer? I'd prefer to do this on the forwarder if possible.
2.) Does restarting the splunk forwarder engage the changes? Or is there something else I need to do?
3.) Is there any way to monitor logs as they come into splunk? (similar to tail -f)
4.) Do you see anything wrong with my syntax?

Thanks in advance guys! I really appreciate the help!