I have a splunk heavy forwarder setup where the logs are not indexed but are forwarded to another device. I am trying to replace some characters in the logs and forward the changed logs to another device. I tried the following configuration without any success.
props.conf in /opt/splunk/etc/system/local/
[solaris:ldap] SEDCMD-combined = s/m/t/g TRANSFORMS-routing = send_to_syslog
I am expecting changetype: todify in the syslog port of the forwarded device. The logs are coming in but without any changes.
I checked for related questions, but most questions have been answered in reference to indexers and not forwarders, so would also like to know if SEDCMD actually works for forwarders without indexers.
In addition, in the above configuration, I am not sure what combined in line SEDCMD-combined does as I could not find a proper definition of that particular field in the documentation. I looked for other examples and copied it from there. Could anyone answer my questions and help me solve my problem?
The best way to test your sed is to use the
add data then hit
uploadand modify that option from there. At least that way you can troubleshoot your sed.
Having done that on my side, this is the right sed to include in your
SEDCMD-RemovingBackSlash = s/\\//g
Let me know if you're able to test it out yourself.
combined is a
class or in other words, an identifier. It can be whatever you like. It is helpful to describe what the SEDCMD is trying to achieve, ie.
SEDCMD-<class> = <sed script>
As for why your events are not being modified..based on https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Forwarddatatothird-partysystemsd#Syslo... it should work, as it specifically calls out the example of removing new lines from wineventlogs before sending and points to https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata#Anonymize_data_through_a_sed_s..., which I assume you have reviewed.
So let's jump into chasing the root cause!
what version of Splunk your HF?
Just good to know what version we are dealing with.
What does the inputs.conf look like for this data? Is it a file monitor, or are you catching syslog on a port? etc?
This helps trace how this data enters the Splunk pipeline.
What does the full props.conf for
solaris:ldap look like? Are these the only parameters being set for this sourcetype?
you can check with
./splunk btool props list solaris:ldap --debug to see the full config.
Is that sample event really representative of your data??
In troubleshooting this, it is key to provide exact data (anonymized of course). Is this truly the data you are working with? and does a single event really look like that?
Thank you for replying.
I now understand class is an identifier that we define ourselves, and may or may not use it anywhere else. For this problem, I do not see that I will need this combined class anywhere else.
I will try to further illustrate the problem to chase the root cause.
I am using Splunk of version 7.2.1
[default] host = hostname _SYSLOG_ROUTING = devicename queueSize = 20GB persistentQueueSize = 30GB
I am trying to catch logs coming in from port 1234. Since the logs are coming in alright, I am assuming that the configuration in Inputs.conf is all good. Or should I use port somewhere in there?
The logs coming in are multiline and my primary purpose is to stitch the logs by replacing new line characters with "|". However, after failing to do so with multiple configurations, first I am determined to replace alphabets.
The above configuration is all that I have configured for solaris:ldap in /opt/splunk/etc/system/local. I checked using the btool and there are other fields and values which are used from /opt/splunk/etc/system/default.
The log sample I have given above is a complete line from a multiline log. It is not the first line of the log though. The complete log looks something like this:
time: 20180702100600 dn: uid=xx11111,ou=xxxxxx,ou=xxxxxx,dc=xx,dc=xxxx,dc=xxxx,dc=xxxx,dc=xxx,dc=xx changetype: modify replace: pwdFailureTime - replace: pwdAccountLockedTime
HI @mmodestino_splunk :
I am facing same issue with removing backslashes from logs using SEDCMD in props on indexer.
when I run query | rex mode=sed "s/\\//g" in search it works but when I put same entry as below in props on indexer it doesnt work:
SEDCMD-RemovingBackSlash = s/\\//g