Getting Data In

How to replace characters in logs using SEDCMD in props.conf in Splunk Heavy Forwarder?

kirandhakal25
New Member

I have a splunk heavy forwarder setup where the logs are not indexed but are forwarded to another device. I am trying to replace some characters in the logs and forward the changed logs to another device. I tried the following configuration without any success.

props.conf in /opt/splunk/etc/system/local/

[solaris:ldap]
SEDCMD-combined = s/m/t/g
TRANSFORMS-routing = send_to_syslog

Log Sample

changetype: modify

I am expecting changetype: todify in the syslog port of the forwarded device. The logs are coming in but without any changes.
I checked for related questions, but most questions have been answered in reference to indexers and not forwarders, so would also like to know if SEDCMD actually works for forwarders without indexers.

In addition, in the above configuration, I am not sure what combined in line SEDCMD-combined does as I could not find a proper definition of that particular field in the documentation. I looked for other examples and copied it from there. Could anyone answer my questions and help me solve my problem?

0 Karma

DavidHourani
Super Champion

Hi @tkmads,

The best way to test your sed is to use the add data then hit uploadand modify that option from there. At least that way you can troubleshoot your sed.

Having done that on my side, this is the right sed to include in your props.conf :

SEDCMD-RemovingBackSlash = s/\\//g

Let me know if you're able to test it out yourself.

Cheers,
David

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey kirandhakal25!

in your SEDCMD-combined, combined is a class or in other words, an identifier. It can be whatever you like. It is helpful to describe what the SEDCMD is trying to achieve, ie. SEDCMD-modifyLDAPsyslog:

 SEDCMD-<class> = <sed script>

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Propsconf

As for why your events are not being modified..based on https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Forwarddatatothird-partysystemsd#Syslo... it should work, as it specifically calls out the example of removing new lines from wineventlogs before sending and points to https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata#Anonymize_data_through_a_sed_s..., which I assume you have reviewed.

So let's jump into chasing the root cause!

what version of Splunk your HF?

Just good to know what version we are dealing with.

What does the inputs.conf look like for this data? Is it a file monitor, or are you catching syslog on a port? etc?

This helps trace how this data enters the Splunk pipeline.

What does the full props.conf for solaris:ldap look like? Are these the only parameters being set for this sourcetype?

you can check with ./splunk btool props list solaris:ldap --debug to see the full config.

Is that sample event really representative of your data??

In troubleshooting this, it is key to provide exact data (anonymized of course). Is this truly the data you are working with? and does a single event really look like that?

0 Karma

kirandhakal25
New Member

Hi @mmodestino_splunk

Thank you for replying.
I now understand class is an identifier that we define ourselves, and may or may not use it anywhere else. For this problem, I do not see that I will need this combined class anywhere else.

I will try to further illustrate the problem to chase the root cause.
I am using Splunk of version 7.2.1

Inputs.conf

[default]
host = hostname
_SYSLOG_ROUTING = devicename

queueSize = 20GB
persistentQueueSize = 30GB

I am trying to catch logs coming in from port 1234. Since the logs are coming in alright, I am assuming that the configuration in Inputs.conf is all good. Or should I use port somewhere in there?

The logs coming in are multiline and my primary purpose is to stitch the logs by replacing new line characters with "|". However, after failing to do so with multiple configurations, first I am determined to replace alphabets.

The above configuration is all that I have configured for solaris:ldap in /opt/splunk/etc/system/local. I checked using the btool and there are other fields and values which are used from /opt/splunk/etc/system/default.

The log sample I have given above is a complete line from a multiline log. It is not the first line of the log though. The complete log looks something like this:

time: 20180702100600
dn: uid=xx11111,ou=xxxxxx,ou=xxxxxx,dc=xx,dc=xxxx,dc=xxxx,dc=xxxx,dc=xxx,dc=xx
changetype: modify
replace: pwdFailureTime
-
replace: pwdAccountLockedTime
0 Karma

tkmads1
Explorer

HI @mmodestino_splunk :

I am facing same issue with removing backslashes from logs using SEDCMD in props on indexer.
when I run query | rex mode=sed "s/\\//g" in search it works but when I put same entry as below in props on indexer it doesnt work:

SEDCMD-RemovingBackSlash = s/\\//g

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!