Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

props.conf to capture specific words from the log files

ashwinipatil007
New Member
‎04-15-2020 11:08 PM

How to capture only the words "successfully sent using abc.def.com" before indexing in splunk from the below log file

"series","number","Date","Time","current","Message"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","08/16/16","07:45:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"

what is required props.conf and where to place it?

thanks in advance:)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 05:14 AM

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 05:14 AM

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T
0 Karma
Reply
Solved! Jump to solution

ashwinipatil007
New Member
‎04-16-2020 05:17 AM

can you please explain me what is SEDCMD-trim_raw?
it works perfect!
also could you you please edit the above regex to capture only "successfully sent"
(p.s I tried to modify but the regex doesn't work:/)

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-16-2020 05:30 AM 
SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw 
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]

trim_raw is class name.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...