Splunk Search
Highlighted

props.conf to capture specific words from the log files

New Member

How to capture only the words "successfully sent using abc.def.com" before indexing in splunk from the below log file

"series","number","Date","Time","current","Message"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","07/20/14","07:09:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"
"Info","0","08/16/16","07:45:03",,"draft: 'REQUEST REQUIRED' From:'abc@mail.com' To:'123@mail.com' was successfully sent using abc.def.com"

what is required props.conf and where to place it?

thanks in advance:)

0 Karma
Highlighted

Re: props.conf to capture specific words from the log files

Ultra Champion

props.conf

SEDCMD-trim_raw = s/^.*?(\d{2}\/\d{2}\/\d{2})...(\d{2}\:\d{2}\:\d{2}).*?(successfully sent using .*)\"/\1 \2 \3/
TIME_FORMAT = %m/%y/%d %T

View solution in original post

0 Karma
Highlighted

Re: props.conf to capture specific words from the log files

New Member

can you please explain me what is SEDCMD-trim_raw?
it works perfect!
also could you you please edit the above regex to capture only "successfully sent"
(p.s I tried to modify but the regex doesn't work:/)

0 Karma
Highlighted

Re: props.conf to capture specific words from the log files

Ultra Champion
SEDCMD-<class> = <sed script>
* Only used at index time.
* Commonly used to anonymize incoming data at index time, such as credit
  card or social security numbers. For more information, search the online
  documentation for "anonymize data."
* Used to specify a sed script which Splunk software applies to the _raw 
  field.
* A sed script is a space-separated list of sed commands. Currently the
  following subset of sed commands is supported:
    * replace (s) and character substitution (y).
* Syntax:
    * replace - s/regex/replacement/flags
      * regex is a perl regular expression (optionally containing capturing
        groups).
      * replacement is a string to replace the regex match. Use \n for back
        references, where "n" is a single digit.
      * flags can be either: g to replace all matches, or a number to
        replace a specified match.
    * substitute - y/string1/string2/
      * substitutes the string1[i] with string2[i]

trim_raw is class name.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.