issues with SEDCMD

rusty009 · ‎04-07-2017

I have the below file being indexed in spunk,

{
    "records": 
    [

        { <event}}

and I would like to get rid of everything before {

so I'm executing the SEDCMD like below,

SEDCMD-StripHeader = s/{\s+\"records\":\s+\[\s+{/{/1

but it doesn't seem to be working. When I test it using the below splunk command it works a treat,

sourcetype="json:blob" | rex field=_raw mode=sed "s/{\s+\"records\":\s+\[\s+{/{/1"

I have restarted splunk, it's running on a single instance ( so this is my search head and indexer) - any ideas what I'm doing wrong?

somesoni2 · ‎04-07-2017

Try with this

SEDCMD-StripHeader = s/^(\{\s+\"records\":\s+\[\s+)//

REGEX 101 link to see the regular exp working https://regex101.com/r/zkIXVa/1

Please note that SEDCMD is an index-time operation and would only affect any new event that come after you've configured it. Any existing event will not modified.

nawazns5038 · ‎04-04-2019

which is the best instance to add SEDCMD ??

Is it heavy forwarder or indexer ?

rusty009 · ‎04-08-2017

that doesn't work unfortunately, is there an issue with my props.conf ?

somesoni2 · ‎04-08-2017

The regex of your's works too. I guess if you've a copy of the file that you're monitoring available locally, you can test the SEDCMD command from Add data wizard. (Settings-> Add data -> Upload, go to advanced tab of left side bar and add SEDCMD of your).

issues with SEDCMD

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?