I am having a really hard time figuring out how to get the sedcmd to work in props.conf. I'd appreciate any help you can lend. Here is an example of my config:
[source::.../syslog_logs/*srx*/user.info.log] SEDCMD-removeunwanted1 = s/\s(src-nat-rule-name=\"[^\"]+\")// SEDCMD-removeunwanted2 = s/\s(source-zone-name=\"[^\"]+\")// SEDCMD-removeunwanted3 = s/\s(destination-zone-name=\"[^\"]+\")// SEDCMD-alter1 = s/destination/dst/g SEDCMD-alter2 = s/source/src/g SEDCMD-alter3 = s/address/ip/g SEDCMD-alter4 = 's/protocol-id="17"/UDP/' SEDCMD-alter5 = 's/protocol-id="6"/TCP/' SEDCMD-alter6 = 's/protocol-id="1"/ICMP/
The point of this is to simplify our logs from Juniper SRXs. When I do a "--debug props list | grep SEDCMD", I see the commands listed. Not sure what I'm doing incorrectly, but have a couple of questions in addition to any advice you guys have.
1.) Does this props.conf have to be configured on the forwarder or the indexer? I'd prefer to do this on the forwarder if possible.
2.) Does restarting the splunk forwarder engage the changes? Or is there something else I need to do?
3.) Is there any way to monitor logs as they come into splunk? (similar to tail -f)
4.) Do you see anything wrong with my syntax?
Thanks in advance guys! I really appreciate the help!
It needs to be done on a Splunk instance doing parsing. That'd be an Indexer or Heavy Forwarder, but not a Universal Forwarder.
Go through the props.conf example on below link
Coming to your questions
1. SED script works at index time, ie, it executed on _raw field. so answer is Indexer
2. Indexer restart is required
3. Use some sample log file and you can use preview option to verify all your rules.
4. refer to document, If you are replacing strings then it should be SED-alter=y/string1/string2/