SEDCMD in props.conf

irwinj_125 · ‎03-21-2021

Hello,

In the Splunk GUI/Interface, I filter into the following commands to remove some unwanted data from being displayed:

| rex mode=sed field=_raw "s/ example: .+?( from |$)/ example: select from /g"
| rex mode=sed field=_raw "s/ in $.+?$ / in (...) /g"

How would I apply this to props.conf in my forwarder (or is there a better option i.e. transforms.conf)? I tried the following but did not seem to work for me.

[XX]
SEDCMD-first = s/ example: .+?( from |$)/ example: select from /g
SEDCMD-second = s/ in $.+?$ / in (...) /g
force_local_processing = true

scelikok · ‎03-22-2021

Hi @irwinj_125,

It is better doing these replacements on your indexers without force_local_processing=true.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

irwinj_125 · ‎03-23-2021

Thanks!

Yes my goal here is just to get the SEDCMD working, if I can do that I will disable local processing and set up on the indexer instead. Doing this locally allows me to test without having to re-start the indexer, which would affect all my forwarders (at least that's my thinking).

SEDCMD in props.conf

saved search

Explore the Latest Educational Offerings from Splunk

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!