Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- issues with SEDCMD
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
issues with SEDCMD
I have the below file being indexed in spunk,
{
"records":
[
{ <event}}
and I would like to get rid of everything before {
so I'm executing the SEDCMD like below,
SEDCMD-StripHeader = s/{\s+\"records\":\s+\[\s+{/{/1
but it doesn't seem to be working. When I test it using the below splunk command it works a treat,
sourcetype="json:blob" | rex field=_raw mode=sed "s/{\s+\"records\":\s+\[\s+{/{/1"
I have restarted splunk, it's running on a single instance ( so this is my search head and indexer) - any ideas what I'm doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with this
SEDCMD-StripHeader = s/^(\{\s+\"records\":\s+\[\s+)//
REGEX 101 link to see the regular exp working https://regex101.com/r/zkIXVa/1
Please note that SEDCMD is an index-time operation and would only affect any new event that come after you've configured it. Any existing event will not modified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
which is the best instance to add SEDCMD ??
Is it heavy forwarder or indexer ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that doesn't work unfortunately, is there an issue with my props.conf ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex of your's works too. I guess if you've a copy of the file that you're monitoring available locally, you can test the SEDCMD command from Add data wizard. (Settings-> Add data -> Upload, go to advanced tab of left side bar and add SEDCMD of your).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
