Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SEDCMD not executing

jcbrendsel
Path Finder
‎02-15-2011 12:21 AM

I am trying to clean up some log data at index time using SEDCMD.

  1. I have a custom sourcetype (cloudfront_http) that is configured on the forwarding machine.

  2. On the receiver/indexer, I have added the following two lines in props.conf

    [cloudfront_http]
SEDCMD-1-AppleTV = s/Apple%A0TV/AppleTV/g

The problem is that nothing is happening. The raw text 'Apple%A0TV' is still occuring and is not getting replaced.

Any ideas?

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:32 AM

If this is a light forwarder, SEDCMD will not run there, and must be run on the indexer. Please see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more details

Reply

DUThibault
Contributor
‎01-30-2018 11:06 AM

I can confirm that SEDCMD is ignored by a Universal Forwarder's local props.conf except if the sourcetype stanza's force_local_processing clause is = true (in which case a SEDCMD on the indexer will be ignored).

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 10:06 PM

And the forwarder is a light forwarder? Or heavy? And there is no intermediate forwarder?

0 Karma
Reply

jcbrendsel
Path Finder
‎02-15-2011 08:50 AM

I am running SEDCMD on the indexer. But the data is coming from another machine (which is configured as a forwarder).

0 Karma
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 12:24 AM

The SEDCMD will not retroactively change the values for data that is already indexed. Have you confirmed that it's not working on new data?

Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 08:53 AM

I meant to say that I tested your SEDCMD, and it works. I can't edit my comment above to change the wording.

0 Karma
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 06:44 AM

The SEDCMD works. Try placing it on your forwarder -- it may not be configured as a light forwarder.

0 Karma
Reply

jcbrendsel
Path Finder
‎02-15-2011 01:24 AM

Correct. It is not working on new data. Are there any issues with orders of precedence? This is defined on a custom sourcetype which is defined in the forwarding server.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...