index time SED from props.conf

jbower · ‎01-09-2012

Are the SED commands in props.conf excuted in order? In other words

Note: (All the following is under [default])

Can I write a test to set a field so it will fail a SED test

SEDCMD-callid =s/(.*callid)(=)(.*)/\1~\3/g

then run the main SED test

SEDCMD-ssnmask = s/(.*[ :=;,])(?!000)(?!666)(?!9)\d{3}[ -](?!00)\d\d[ -](?!0000)(\d{4}[ =;,&].*)/\1###SSN-SCRUBBED###\2/g
SEDCMD-ssnmask1 = s/(.*[ :=;,])(?!000)(?!666)(?!9)\d{3}(?!00)\d\d(?!0000)(\d{4}[ ;,&=].*)/\1###SSN-SCRUBBED###\2/g

and then change it back

SEDCMD-callid_fix =s/(.*callid)(~)(.*)/\1=\3/g

or might the indexer not always run the SED commands in that order?

jbower · ‎01-10-2012

I found how you do it (put all the SED commands on one line)
so

SEDCMD-Master = s/(.[ :=;,])(?!000)(?!666)(?!9)d{3} -dd -(d{4}[ =;,&].)/1###SSN-SCRUBBED###2/g s/(.[ :=;,])(?!000)(?!666)(?!9)d{3}(?!00)dd(?!0000)(d{4}[ ;,&=].)/1###SSN-SCRUBBED###2/g

and then thay will get excuted in order.

index time SED from props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation

index time SED from props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud