Re: SEDCMD not executing

jcbrendsel · ‎02-15-2011

I am trying to clean up some log data at index time using SEDCMD.

I have a custom sourcetype (cloudfront_http) that is configured on the forwarding machine.
On the receiver/indexer, I have added the following two lines in props.conf
```
[cloudfront_http]
SEDCMD-1-AppleTV = s/Apple%A0TV/AppleTV/g
```

The problem is that nothing is happening. The raw text 'Apple%A0TV' is still occuring and is not getting replaced.

Any ideas?

gkanapathy · ‎02-15-2011

If this is a light forwarder, SEDCMD will not run there, and must be run on the indexer. Please see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more details

DUThibault · ‎01-30-2018

I can confirm that SEDCMD is ignored by a Universal Forwarder's local props.conf except if the sourcetype stanza's force_local_processing clause is = true (in which case a SEDCMD on the indexer will be ignored).

gkanapathy · ‎02-15-2011

And the forwarder is a light forwarder? Or heavy? And there is no intermediate forwarder?

jcbrendsel · ‎02-15-2011

I am running SEDCMD on the indexer. But the data is coming from another machine (which is configured as a forwarder).

Ron_Naken · ‎02-15-2011

The SEDCMD will not retroactively change the values for data that is already indexed. Have you confirmed that it's not working on new data?

Ron_Naken · ‎02-15-2011

I meant to say that I tested your SEDCMD, and it works. I can't edit my comment above to change the wording.

Ron_Naken · ‎02-15-2011

The SEDCMD works. Try placing it on your forwarder -- it may not be configured as a light forwarder.

jcbrendsel · ‎02-15-2011

Correct. It is not working on new data. Are there any issues with orders of precedence? This is defined on a custom sourcetype which is defined in the forwarding server.

SEDCMD not executing

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout