Even this does not work.

For reference here's a quick comparison: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Typesofforwarders#Forwarder_comparison

"Per-Event filtering" is what you're doing here, basically.

I have added SEDCMD on heavy forwarder and it does not work. I have tested the settings individually using UI and it works.

You can do that, just not on a universal forwarder. Replace it with a heavy forwarder that does all the parsing, timestamping, regexreplacement, yada yada on the source machine and you're there. Then you will need this props.conf setting on the heavy forwarder.

Ok now I understand what universal forwarder client means. Thanks 🙂

From my point of view it makes more sense to anonymize data from the Forwarder and not on the server. That's why I always tried to configure the forwarder.

Yeah, this does belong on the indexer if you're sending it from a universal forwarder. Some newer settings also require some props.conf keys to be present on the forwarder, but stuff like SEDCMD doesn't - regardless of the version.

I found it! I was configuring the forwarder and not the server! Note with 6.1 props.conf might have to go on the UFs. From dev: With 6.1, the structured data props.conf are happening at monitoring time therefore the props.conf has also to be on the forwarders. makes me on the right way. Thanks for the help 🙂

Are you saying that props settings for structured data on the forwarder were interfering with props.conf settings on the indexer because the "monitoring time" for the inputs needs structured settings, but structured settings end the data parsing phase so that it cannot happen on the indexers?

I even try with another server, it does not work... Our forwarder has the version 5.0.4.

Well, something's fishy in your Splunk environment... I've just created a props.conf in system/local like this:

[default]
SEDCMD-ipi2 = y/e/g/

and now get events like this:

127.0.0.1 - admin [31/Oct/2014:22:02:08.023 +0100] "GET /sgrvicgsNS/admin/sgarch/sgarch/typgahgad?prgfix=indgx%3D_intgrnal&count=50&max_timg=1&output_modg=json HTTP/1.0" 200 73 - - - 2ms

Looks fing to mg.

Yes, i'm refreshing the page, which produce a log with the date, so I'm sure.

You are looking at stuff indexed after setting this, right?

Even with y/e/g the props.conf does not work...

The way I understand it, y/e/g/ shouldn't need the g flag because character substitution only makes sense globally... do try leaving off the global flag.

I always restarted before. With your debug option I even can read /opt/splunkforwarder/etc/system/local/props.conf SEDCMD-ipi2 = y/e/g/g. It seams that it does not appear as much as the other lines. But the letter e still appears on the splunk server.