Getting Data In

sedcmd no longer being applied after upgrade to 4.2

Explorer

I have a splunk indexer running on Linux that i recently upgraded to 4.2 and a lightforwarder running on a windows 2k8 that i upgraded to the universal forwarder. After the upgrade, the sedcmd line i have in the props.conf on my indexer doesn't appear to be working any more. I was using it to strip extraneous description text from server 2k8 logs. The logs are still showing up

The line in props.conf looks like this:

[wmi]
SEDCMD-remwinstr = s/(?ism)(This event is generated|Certificate information is only provided).*//g

I believe there is another question that has been asked that i think might be relevant as its happening here as well:

Universal Forwarder: WMI Hostname Config Ignored

For completeness, here is the wmi.conf file on the universal forwarder:

[WMI:DomainControllerLogs]
server = <host1>, <host2>, <host3>, <host4>
interval = 10
disabled = 0
event_log_file = Security
current_only = 0
1 Solution

Explorer

It appears this was the result of a bug that has been fixed in the 4.2.1 release. Both the forwarder AND the indexer must be updated for this issue to be corrected.

View solution in original post

Explorer

It appears this was the result of a bug that has been fixed in the 4.2.1 release. Both the forwarder AND the indexer must be updated for this issue to be corrected.

View solution in original post