Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is SEDCMD in props.conf to remove part of header line not working?

mburgess97
Path Finder
‎12-05-2022 06:57 AM

I am forwarding F5 logs from a syslog server, but I have an additional timestamp and host IP (log below with strike-through). I would like to remove these at index time. I am trying to accomplish this using SEDCMD. My Regex test is good and I've also used several iterations of regex to try and accomplish this. Any ideas on what I am doing wrong?

Location: opt/splunk/etc/apps/search/local/props.conf

[f5-apm]
category = Network & Security
pulldown_type = 1
SEDCMD-noheader = /s^\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+//g

Dec 5 09:45:55 172.16.97.188 Dec 5 09:45:45 gg-f5-02.domain.org notice tmm1[24012]: 01490500:5: /dmz/VPNClient_access_policy:dmz:17709577: New session from client IP 54.244.52.193 (ST=Oregon/CC=US/C=NA) at VIP 172.16.253.152 Listener /dmz/apm_vpn_vs_https (Reputation=Unknown)
Labels (2)
Labels
Tags (1)
0 Karma
Reply

mburgess97
Path Finder
‎12-05-2022 08:33 AM

The props.conf is located on my indexer. I am not using an HF.

The sourcetype does appear to be f5-apm. It's a custom sourcetype I created listening over UDP. I see f5-apm in the GUI and in props.conf. Should I look somewhere else?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 08:38 AM

Hi @mburgess97,

which add-on are you using for parsing?

see in the network input and in splunk search id both of them have "f5-apm" sourcetype,

and in general avoid to use "-" in every value or field because sometimes Splunk reads it as minus, use ":" or "_".

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-05-2022 12:41 PM

Isn't f5:apm sourcetype used by TA for F5? I would be cautious not to use the same sourcetype to avoid confusion.

Anyway, I'd get the events by syslog daemon, strip the header there, sent them to Splunk and then I'd use the TA.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 08:16 AM

Hi @mburgess97,

where do you located this props.conf: it must be on Indexers or, if present in the first Heavy Forwarder.

If you take these syslogs using an HF, you have to locate it here.

Second check: are you sure that the sourcetype is "f5-apm" because usually F5 logs change the sourcetype and sedCMD is one of the first commands that are executed: see this in the props.conf and what's the original sourcetype.

Ciao.

Giuseppe

0 Karma
Reply

mburgess97
Path Finder
‎12-05-2022 09:31 AM

f5-apm is listed under my data input and in the search app. I am not using an add-on. These are logs hitting splunk directly from my syslog server without any additional add-on, etc..

f5.png

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2022 10:44 AM

i @mburgess97,

please try this:

SEDCMD-noheader = s/^\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+//g

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...