issues with SEDCMD

rusty009 · ‎04-07-2017

I have the below file being indexed in spunk,

{
    "records": 
    [

        { <event}}

and I would like to get rid of everything before {

so I'm executing the SEDCMD like below,

SEDCMD-StripHeader = s/{\s+\"records\":\s+\[\s+{/{/1

but it doesn't seem to be working. When I test it using the below splunk command it works a treat,

sourcetype="json:blob" | rex field=_raw mode=sed "s/{\s+\"records\":\s+\[\s+{/{/1"

I have restarted splunk, it's running on a single instance ( so this is my search head and indexer) - any ideas what I'm doing wrong?

somesoni2 · ‎04-07-2017

Try with this

SEDCMD-StripHeader = s/^(\{\s+\"records\":\s+\[\s+)//

REGEX 101 link to see the regular exp working https://regex101.com/r/zkIXVa/1

Please note that SEDCMD is an index-time operation and would only affect any new event that come after you've configured it. Any existing event will not modified.

nawazns5038 · ‎04-04-2019

which is the best instance to add SEDCMD ??

Is it heavy forwarder or indexer ?

rusty009 · ‎04-08-2017

that doesn't work unfortunately, is there an issue with my props.conf ?

somesoni2 · ‎04-08-2017

The regex of your's works too. I guess if you've a copy of the file that you're monitoring available locally, you can test the SEDCMD command from Add data wizard. (Settings-> Add data -> Upload, go to advanced tab of left side bar and add SEDCMD of your).

issues with SEDCMD

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

issues with SEDCMD

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem