Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

cut a specific phrase in props.conf

GSNRMUVW
Loves-to-Learn
‎02-02-2026 11:20 AM

Hi Community,

how to cut...

, "q": 0, "user": "system.user.admin"

...from...

{ "val": 0, "ts": 1770058561014, "q": 0, "user": "system.user.admin" }

...with SEDCMD in props.conf?

This...

[host::iobroker]
SEDCMD-remove = s/^, "q": 0, "user": "system.user.admin"$//g

...doesn´t work!

Thank you in advance for your help - Markus

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-02-2026 11:52 AM

Unfortunately, you're trying to manipulate structured data with plain regexes. It might work if your jsons are always formatted the same way (which the jsons don't have to be since they rely on logical structure instead of strict formatting or fields order).

If your SEDCMD doesn't work, you're probably not matching the part right with your regex. Maybe it's about other whitespaces than you expect. Or maybe there's another number of those whitespaces.

Check your regex on your real data using https://regex101.com/ - it will show you if it matches or not and you'll be able to debug the regex and see where it fails if it does.

0 Karma
Reply

GSNRMUVW
Loves-to-Learn
‎02-02-2026 11:59 AM

Thanks for your suggestion.
I've already tried egex101, but the one that was successfully tested...

/, "q": 0, "user": "system.user.admin"/g

...doesn't work either.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-02-2026 12:06 PM

OK. That suggests that your SEDCMD is not invoked at all (you could try something obviously right like

SEDCMD-test = s/a/z/g

to verify.

If it indeed doesn't work, that means that either:

1) It's defined in a wrong stanza (a typical mistake here would be attaching it to a host value which is not provided at the beginning of the ingestion pipeline but rather comes from a rewrite in the middle of it).

2) it's set on a wrong component (either on a UF or a heavy component - indexer or HF - which is not the first one in event's path - like an indexer behind a HF).

0 Karma
Reply

GSNRMUVW
Loves-to-Learn
‎02-02-2026 12:15 PM

I can rule out both, as other manipulations work.
However, I was happy to carry out your test with the following result:

{ "vzl": 0, "ts": 1770063182265, "q": 0, "user": "system.user.zdmin" }
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2026 11:28 AM

You have the right idea, but that regex doesn't work because it's told to expect , "q" at the beginning of the event, which doesn't match the data.  Try

SEDCMD-remove = s/, "q": 0, "user": "system.user.admin"//g

Anchor tags (^ and $) are not needed as often as commonly thought.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

GSNRMUVW
Loves-to-Learn
‎02-02-2026 11:36 AM

Thank you for your support... but unfortunately, this suggestion does not work, and the entire log continues to be indexed...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...