Re: SEDCMD not executing

jcbrendsel · ‎02-15-2011

I am trying to clean up some log data at index time using SEDCMD.

I have a custom sourcetype (cloudfront_http) that is configured on the forwarding machine.
On the receiver/indexer, I have added the following two lines in props.conf
```
[cloudfront_http]
SEDCMD-1-AppleTV = s/Apple%A0TV/AppleTV/g
```

The problem is that nothing is happening. The raw text 'Apple%A0TV' is still occuring and is not getting replaced.

Any ideas?

gkanapathy · ‎02-15-2011

If this is a light forwarder, SEDCMD will not run there, and must be run on the indexer. Please see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more details

DUThibault · ‎01-30-2018

I can confirm that SEDCMD is ignored by a Universal Forwarder's local props.conf except if the sourcetype stanza's force_local_processing clause is = true (in which case a SEDCMD on the indexer will be ignored).

gkanapathy · ‎02-15-2011

And the forwarder is a light forwarder? Or heavy? And there is no intermediate forwarder?

jcbrendsel · ‎02-15-2011

I am running SEDCMD on the indexer. But the data is coming from another machine (which is configured as a forwarder).

Ron_Naken · ‎02-15-2011

The SEDCMD will not retroactively change the values for data that is already indexed. Have you confirmed that it's not working on new data?

Ron_Naken · ‎02-15-2011

I meant to say that I tested your SEDCMD, and it works. I can't edit my comment above to change the wording.

Ron_Naken · ‎02-15-2011

The SEDCMD works. Try placing it on your forwarder -- it may not be configured as a light forwarder.

jcbrendsel · ‎02-15-2011

Correct. It is not working on new data. Are there any issues with orders of precedence? This is defined on a custom sourcetype which is defined in the forwarding server.

SEDCMD not executing

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms