Yes windows, 7 and 2012 I have tried this on. It's just a bit hacky that SEDCMD-replacespaces = s/()/^/g means to replace any character with ^ and including spaces.

Yes this is in props.conf. As I stated, replacecolons works fine. I have re-tried various times on various configurations. The problem is replacing \s on its own. Is it working for you?

Can you try s/\ /_/g?

That has done trick once for me.

Thanks,
Raghav

Hi, this does not work, still not bringing in the events, SEDCMD has an issue with this

how about \s+ or putting the sedcmd in quotes?

Are there spaces when the sedcmd runs?

example

raw = THERE ARE SPACES
SEDCMD-AAA = s/THERE\sARE\sSPACES/TEHREARENTSPACES/g
SEDCMD-BBB = s/\s//g

Are you restarting splunk? Are you doing this on indexers and forwarders?

Hi, yes everything is working otherwise, doing this on heavy forwarder.

I'm looking at other options now, going to use regex capture groups and just try to scrape what I can.

My testimony here is that SED in splunk does not work identically to SED in linux. \s can not be found and replaced with anything in splunk. When reading up on SED in general, my command should work fine.

This may of course be a collision between transforms.conf etc... Or it could just be that there is some method required.

 \s works fine in sedcmd for me

+1 to @jkat54 's answer.

I created a script that writes "$Date T O D A Y I S $DAY" and configured the monitored input.

Inputs.conf
[monitor:///opt/splunk/bin/scripts/test.txt]
index=main
sourcetype=test

In props.conf,

[source::/opt/splunk/bin/scripts/test.txt]
SEDCMD-replacespaces = s/()/^/g

Bounced splunkd and here's the output in search

index=main sourcetype=test

Output:

^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^M^O^N^D^A^Y^
^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^T^U^E^S^D^A^Y^
^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^W^E^D^N^E^S^D^A^Y^
^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^T^H^U^R^S^D^A^Y^
^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^F^R^I^D^A^Y^
^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^S^A^T^U^R^D^A^Y^
^0^8^-^1^9^-^2^0^1^6^ ^T^O^D^A^Y^ ^I^S^ ^S^U^N^D^A^Y

I ran out of suggestions as all the proposed formats work for me.

Hope this helps!

Thanks,
Raghav

Thanks for that, slightly different to \s:

SEDCMD-replacespaces = s/()/^/g

I will give that a shot!

Cheers

I just tried the following from search, which is pretty much a mimic in props without the """

|gentimes start=-1|eval Space="THIS  IS   A   TEST"|rex mode=sed field=Space "s/( )/^/g" and the output is 

THIS^^IS^^^A^^^TEST

One last try may be?

Thanks,
Raghav

Hi, I'd imagine that will work here as well, though the search time stuff is a fairly different game to the indexing side?