Solved: sedcmd not being applied

ajs07635 · ‎02-03-2011

I am trying to remove the extra description text that gets appended to windows 2k8 logs using SEDCMD in props.conf. However, I can't seem to get it to work, no matter what i use as my expression. I am receiving events from a light forwarder on a windows box that is pulling the events using WMI from our domain controllers. The indexer is actually a linux box.

This is what I have in props.conf

[source::WMI:WinEventLog:Security]
SEDCMD-remwinstr = s/(?ism)This event is generated.*$//g

Nothing is being removed. I've tried all kinds of variations on both the stanza name as well as the regular expression itself. I've tried just [WMI:WinEventLog:Security], [WMI:WinEventLog*], [WMI*], and even the name of one of the hosts: [host::<hostname>]

I've also tried different variations of the regex. Even something like this doesn't do any replacement:

SEDCMD-remwinstr = s/(?ism)This/That/g

I've tried with and without (single or double) quotes around the entire part after the = as well. Thoughts?

gkanapathy · ‎02-03-2011

The problem is that the source of WMI:WinEventLog:Security is not actually set to WMI:WinEventLog:Security at the time that the rule is being matched. There is in fact a TRANSFORM that occurs at index time that sets the source to the value you see. Since it's not yet set, the [source::] stanza rule you have does not match against the data.

You'd actually a stanza to match against sourcetype [wmi] to have it take effect. The problem here is that this will hit all WMI data, not just the Security Windows Event Log. That might be okay, though there will be a (small) performance cost.

View solution in original post

gkanapathy · ‎02-03-2011

The problem is that the source of WMI:WinEventLog:Security is not actually set to WMI:WinEventLog:Security at the time that the rule is being matched. There is in fact a TRANSFORM that occurs at index time that sets the source to the value you see. Since it's not yet set, the [source::] stanza rule you have does not match against the data.

You'd actually a stanza to match against sourcetype [wmi] to have it take effect. The problem here is that this will hit all WMI data, not just the Security Windows Event Log. That might be okay, though there will be a (small) performance cost.

twinspop · ‎03-05-2014

Just came across this post. Is there a ref somewhere for what the initial source/sourcetypes are? Can I find it in a forwarder log?

gkanapathy · ‎02-04-2011

Same problem with sourcetype I'm afraid. It is transformed at the same time as source. On the other hand, several million events per day isn't that much for a standard Splunk server to handle.

ajs07635 · ‎02-03-2011

That worked. I will have to watch the performance as we will be looking at several million events a day just from all the DCs. Is it not possible to specify a sourcetype of [wmi:wineventlog:security] as that is what is shown in the search results, or is the sourcetype changed via a transform as well?

ajs07635 · ‎02-03-2011

yep. every time I make a change, I restart splunk through the manager UI.

ftk · ‎02-03-2011

Have you restarted Splunk after putting your SEDCMD stanza in place?

sedcmd not being applied

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!