Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

props.conf to capture specific words from the log files

ashwinipatil007
New Member
‎04-15-2020 11:08 PM

How to capture only the words "successfully sent using abc.def.com" before indexing in splunk from the below log file

"series","number","Date","Time","current","Message"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","08/16/16","07:45:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"

what is required props.conf and where to place it?

thanks in advance:)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 05:14 AM

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 05:14 AM

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T
0 Karma
Reply
Solved! Jump to solution

ashwinipatil007
New Member
‎04-16-2020 05:17 AM

can you please explain me what is SEDCMD-trim_raw?
it works perfect!
also could you you please edit the above regex to capture only "successfully sent"
(p.s I tried to modify but the regex doesn't work:/)

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-16-2020 05:30 AM 
SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw 
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]

trim_raw is class name.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...