Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

props.conf to capture specific words from the log files

ashwinipatil007
New Member
‎04-15-2020 11:08 PM

How to capture only the words "successfully sent using abc.def.com" before indexing in splunk from the below log file

"series","number","Date","Time","current","Message"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","08/16/16","07:45:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"

what is required props.conf and where to place it?

thanks in advance:)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 05:14 AM

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 05:14 AM

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T
0 Karma
Reply
Solved! Jump to solution

ashwinipatil007
New Member
‎04-16-2020 05:17 AM

can you please explain me what is SEDCMD-trim_raw?
it works perfect!
also could you you please edit the above regex to capture only "successfully sent"
(p.s I tried to modify but the regex doesn't work:/)

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-16-2020 05:30 AM 
SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw 
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]

trim_raw is class name.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...