Getting Data In

Why is SEDCMD in props.conf to remove part of header line not working?

mburgess97
Path Finder

I am forwarding F5 logs from a syslog server, but I have an additional timestamp and host IP (log below with strike-through). I would like to remove these at index time. I am trying to accomplish this using SEDCMD. My Regex test is good and I've also used several iterations of regex to try and accomplish this. Any ideas on what I am doing wrong?

Location: opt/splunk/etc/apps/search/local/props.conf

[f5-apm]
category = Network & Security
pulldown_type = 1
SEDCMD-noheader = /s^\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+//g

Dec 5 09:45:55 172.16.97.188 Dec 5 09:45:45 gg-f5-02.domain.org notice tmm1[24012]: 01490500:5: /dmz/VPNClient_access_policy:dmz:17709577: New session from client IP 54.244.52.193 (ST=Oregon/CC=US/C=NA) at VIP 172.16.253.152 Listener /dmz/apm_vpn_vs_https (Reputation=Unknown)
Labels (2)
Tags (1)
0 Karma

mburgess97
Path Finder

The props.conf is located on my indexer. I am not using an HF.

The sourcetype does appear to be f5-apm. It's a custom sourcetype I created listening over UDP. I see f5-apm in the GUI and in props.conf. Should I look somewhere else?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mburgess97,

which add-on are you using for parsing?

see in the network input and in splunk search id both of them have "f5-apm" sourcetype,

and in general avoid to use "-" in every value or field because sometimes Splunk reads it as minus, use ":" or "_".

Ciao.

Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Isn't f5:apm sourcetype used by TA for F5? I would be cautious not to use the same sourcetype to avoid confusion.

Anyway, I'd get the events by syslog daemon, strip the header there, sent them to Splunk and then I'd use the TA.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mburgess97,

where do you located this props.conf: it must be on Indexers or, if present in the first Heavy Forwarder.

If you take these syslogs using an HF, you have to locate it here.

Second check: are you sure that the sourcetype is "f5-apm" because usually F5 logs change the sourcetype and sedCMD is one of the first commands that are executed: see this in the props.conf and what's the original sourcetype.

Ciao.

Giuseppe

0 Karma

mburgess97
Path Finder

f5-apm is listed under my data input and in the search app. I am not using an add-on. These are logs hitting splunk directly from my syslog server without any additional add-on, etc..

f5.png

0 Karma

gcusello
SplunkTrust
SplunkTrust

i @mburgess97,

please try this:

SEDCMD-noheader = s/^\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+//g

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...