Re: SEDCMD in props.conf

irwinj_125 · ‎03-21-2021

Hello,

In the Splunk GUI/Interface, I filter into the following commands to remove some unwanted data from being displayed:

| rex mode=sed field=_raw "s/ example: .+?( from |$)/ example: select from /g"
| rex mode=sed field=_raw "s/ in $.+?$ / in (...) /g"

How would I apply this to props.conf in my forwarder (or is there a better option i.e. transforms.conf)? I tried the following but did not seem to work for me.

[XX]
SEDCMD-first = s/ example: .+?( from |$)/ example: select from /g
SEDCMD-second = s/ in $.+?$ / in (...) /g
force_local_processing = true

scelikok · ‎03-22-2021

Hi @irwinj_125,

It is better doing these replacements on your indexers without force_local_processing=true.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

irwinj_125 · ‎03-23-2021

Thanks!

Yes my goal here is just to get the SEDCMD working, if I can do that I will disable local processing and set up on the indexer instead. Doing this locally allows me to test without having to re-start the indexer, which would affect all my forwarders (at least that's my thinking).

SEDCMD in props.conf

saved search

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

SEDCMD in props.conf

saved search

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?