Solved: sedcmd no longer being applied after upgrade to 4....

ajs07635 · ‎03-26-2011

I have a splunk indexer running on Linux that i recently upgraded to 4.2 and a lightforwarder running on a windows 2k8 that i upgraded to the universal forwarder. After the upgrade, the sedcmd line i have in the props.conf on my indexer doesn't appear to be working any more. I was using it to strip extraneous description text from server 2k8 logs. The logs are still showing up

The line in props.conf looks like this:

[wmi]
SEDCMD-remwinstr = s/(?ism)(This event is generated|Certificate information is only provided).*//g

I believe there is another question that has been asked that i think might be relevant as its happening here as well:

Universal Forwarder: WMI Hostname Config Ignored

For completeness, here is the wmi.conf file on the universal forwarder:

[WMI:DomainControllerLogs]
server = <host1>, <host2>, <host3>, <host4>
interval = 10
disabled = 0
event_log_file = Security
current_only = 0

ajs07635 · ‎05-13-2011

It appears this was the result of a bug that has been fixed in the 4.2.1 release. Both the forwarder AND the indexer must be updated for this issue to be corrected.

View solution in original post

ajs07635 · ‎05-13-2011

It appears this was the result of a bug that has been fixed in the 4.2.1 release. Both the forwarder AND the indexer must be updated for this issue to be corrected.

sedcmd no longer being applied after upgrade to 4.2

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

sedcmd no longer being applied after upgrade to 4.2

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers