Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Modify Field with Regex at Index Time

dbuehler
Loves-to-Learn Everything
‎10-27-2020 02:21 PM

Hey guys,

 

I have IIS logs that are logging multiple IPs to the X-Forwarded-For field as below: 

 

114.119.136.78,+162.158.119.25

 

 

I would like to apply a regex to the X-Forwarded-For field at index time to ensure the field only contains the first IP, like:

 

114.119.136.78

 

 

In other words, anything after the first comma should be cut out of the field.

 

So far I have tried to achieve this with the following props/transforms:

 

#props
[iis]
TRANSFORMS-rm-extra-ips = rm_extra_ips

#transforms
[rm_extra_ips]
SOURCE_KEY = field:X_Forwarded_For
REGEX = ^(.+?),

 

 

How do I do this?

Thanks!

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-27-2020 04:21 PM

If you want to modify the field at index time you would use SEDCMD, described in props.conf docs here

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

and also see this 

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Anonymizedata

and also some community posts, e.g.

https://community.splunk.com/t5/Getting-Data-In/How-to-configure-SEDCMD-in-props-conf/m-p/196633

https://community.splunk.com/t5/Getting-Data-In/SEDCMD-a-field/m-p/413484

Hope this helps

 

0 Karma
Reply

dbuehler
Loves-to-Learn Everything
‎10-28-2020 05:33 AM

Thanks, I was looking into SEDCMD originally, I've used it for other purposes before.

Can SEDCMD operate on just one field? Or does it have to operate on the entire event (_raw)?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-28-2020 07:39 AM

Hi

Based on props.conf's spec no, if must operate towards _raw.

SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]
* No default.

r. Ismo 

0 Karma
Reply

dbuehler
Loves-to-Learn Everything
‎11-04-2020 09:59 AM

For some reason my props.conf config isn't being applied to my data.

I've found that this is the regex I need:

s/,+[.0-9\:a-z]*//g

And this regex works perfectly when run manually, i.e. using a sed command against a text file with a sample event:

cat sample.txt | sed 's/,+[.0-9\:a-z]*//g'

My props.conf (placed on my two indexers in /opt/splunk/etc/apps/my-iis-app/local) is configured to apply to the 'iis' sourcetype, which is correct, and looks like:

[iis]

SEDCMD-remove-extra-ips = s/,+[.0-9\:a-z]*//g

After restarting Splunk, the events are coming in un-modified. It appears the regex isn't being applied at all, as even if I change my config to a very simple test regex, that doesn't work either, e.g.:

[iis]
SEDCMD-test = s/10/test/g

Any ideas?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-04-2020 10:46 AM
Shoul you have \. Instead of . In your shed expression? First match to . second one match to every character.
0 Karma
Reply

dbuehler
Loves-to-Learn Everything
‎11-04-2020 11:10 AM

That regex works just the same in manual tests, but does not work when applied as a SEDCMD in props.conf.

It seems clear my props SEDCMD is not being applied to my data at all.

If I run:

/opt/splunk/bin/splunk btool --debug props list |grep SEDCMD

I see my setting showing up in the output. Is there any other way to troubleshoot if my SEDCMD is being applied?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...