Splunk Search

props.conf to capture specific words from the log files

ashwinipatil007
New Member

How to capture only the words "successfully sent using abc.def.com" before indexing in splunk from the below log file

"series","number","Date","Time","current","Message"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","08/16/16","07:45:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"

what is required props.conf and where to place it?

thanks in advance:)

0 Karma
1 Solution

to4kawa
Ultra Champion

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T

View solution in original post

0 Karma

to4kawa
Ultra Champion

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T
0 Karma

ashwinipatil007
New Member

can you please explain me what is SEDCMD-trim_raw?
it works perfect!
also could you you please edit the above regex to capture only "successfully sent"
(p.s I tried to modify but the regex doesn't work:/)

0 Karma

to4kawa
Ultra Champion
SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw 
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]

trim_raw is class name.

0 Karma
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...