cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kirandhakal25
New Member
Member since: ‎12-30-2018
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-30-2018
Activity Feed
View All

Re: How to replace characters in logs using SEDCMD...

by in Getting Data In
‎01-06-2019 10:42 PM
‎01-06-2019 10:42 PM
Hi @mmodestino_splunk Thank you for replying. I now understand class is an identifier that we define ourselves, and may or may not use it anywhere else. For this problem, I do not see that I will need this combined class anywhere else. I will try to further illustrate the problem to chase the root cause. I am using Splunk of version 7.2.1 Inputs.conf [default] host = hostname _SYSLOG_ROUTING = devicename queueSize = 20GB persistentQueueSize = 30GB I am trying to catch logs coming in from port 1234. Since the logs are coming in alright, I am assuming that the configuration in Inputs.conf is all good. Or should I use port somewhere in there? The logs coming in are multiline and my primary purpose is to stitch the logs by replacing new line characters with "|". However, after failing to do so with multiple configurations, first I am determined to replace alphabets. The above configuration is all that I have configured for solaris:ldap in /opt/splunk/etc/system/local. I checked using the btool and there are other fields and values which are used from /opt/splunk/etc/system/default. The log sample I have given above is a complete line from a multiline log. It is not the first line of the log though. The complete log looks something like this: time: 20180702100600 dn: uid=xx11111,ou=xxxxxx,ou=xxxxxx,dc=xx,dc=xxxx,dc=xxxx,dc=xxxx,dc=xxx,dc=xx changetype: modify replace: pwdFailureTime - replace: pwdAccountLockedTime ... View more

How to replace characters in logs using SEDCMD in ...

by in Getting Data In
‎01-04-2019 08:03 PM
‎01-04-2019 08:03 PM
I have a splunk heavy forwarder setup where the logs are not indexed but are forwarded to another device. I am trying to replace some characters in the logs and forward the changed logs to another device. I tried the following configuration without any success. props.conf in /opt/splunk/etc/system/local/ [solaris:ldap] SEDCMD-combined = s/m/t/g TRANSFORMS-routing = send_to_syslog Log Sample changetype: modify I am expecting changetype: todify in the syslog port of the forwarded device. The logs are coming in but without any changes. I checked for related questions, but most questions have been answered in reference to indexers and not forwarders, so would also like to know if SEDCMD actually works for forwarders without indexers. In addition, in the above configuration, I am not sure what combined in line SEDCMD-combined does as I could not find a proper definition of that particular field in the documentation. I looked for other examples and copied it from there. Could anyone answer my questions and help me solve my problem? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM