I am forwarding F5 logs from a syslog server, but I have an additional timestamp and host IP (log below with strike-through). I would like to remove these at index time. I am trying to accomplish this using SEDCMD. My Regex test is good and I've also used several iterations of regex to try and accomplish this. Any ideas on what I am doing wrong?
Location: opt/splunk/etc/apps/search/local/props.conf
[f5-apm]
category = Network & Security
pulldown_type = 1
SEDCMD-noheader = /s^\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+//g
The props.conf is located on my indexer. I am not using an HF.
The sourcetype does appear to be f5-apm. It's a custom sourcetype I created listening over UDP. I see f5-apm in the GUI and in props.conf. Should I look somewhere else?
Hi @mburgess97,
which add-on are you using for parsing?
see in the network input and in splunk search id both of them have "f5-apm" sourcetype,
and in general avoid to use "-" in every value or field because sometimes Splunk reads it as minus, use ":" or "_".
Ciao.
Giuseppe
Isn't f5:apm sourcetype used by TA for F5? I would be cautious not to use the same sourcetype to avoid confusion.
Anyway, I'd get the events by syslog daemon, strip the header there, sent them to Splunk and then I'd use the TA.
Hi @mburgess97,
where do you located this props.conf: it must be on Indexers or, if present in the first Heavy Forwarder.
If you take these syslogs using an HF, you have to locate it here.
Second check: are you sure that the sourcetype is "f5-apm" because usually F5 logs change the sourcetype and sedCMD is one of the first commands that are executed: see this in the props.conf and what's the original sourcetype.
Ciao.
Giuseppe
f5-apm is listed under my data input and in the search app. I am not using an add-on. These are logs hitting splunk directly from my syslog server without any additional add-on, etc..
i @mburgess97,
please try this:
SEDCMD-noheader = s/^\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+//g
Ciao.
Giuseppe