In the past, I have used SEDCMD statements in my props.conf to remove text and whole lines from events so they would not clog our indexes and clutter the search results wiht extraneous text.
However, today, I tried to set up an SEDCMD string to remove part of a line in our IIS logs, and it appeared to work, but somehow the actual effect is that it just removed the text from the regular search result, but if you expand the actual event, where you can see the 'Event Actions' button and all the fields, the string we were trying to remove is still available and searchable (still shows in the Interesting Fields).
Here is my script:
SEDCMD-Auth = s/Basic+.*//
I am trying to remove the content of the Authorization field that has been added to our IIS logs, along with everything else to the end of the line after that field.
This is a script I used earlier to remove a line from a Windows Event Log, and it is working fine:
SEDCMD-EventType = s/EventType=4\r\n//
What is the difference (aside from not removing a CR/LF)? What did I do wrong in the first one to cause Splunk to not actually prevent the data from being indexed? These are both in the etc/system/local/props.conf on our indexer, and we only use light forwarders.
... View more