×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
selenith
Engager
Member since: ‎08-02-2019
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎08-02-2019
Activity Feed
View All

Does "rex mode=sed" pass as SEDCMD regex check?

by in Getting Data In
‎08-02-2019 02:40 AM
‎08-02-2019 02:40 AM
Hello. I'm attempting to reduce the volume of log message with full text of terms and conditions, through using SEDCMD command in props.conf at Indexer machine. For that I created the following sed regex: "s/(?<=General Terms and Conditions)(?s)(.*$)/.../g" When i test it in Splunk using | rex field=_raw mode=sed "s/(?<=General Terms and Conditions)(?s)(.*$)/.../g" it replaces full text with "General Terms and Conditions..." which is good. Does that mean that I can safely copy this in props.conf as SEDCMD="s/(?<=General Terms and Conditions)(?s)(.*$)/.../g" or syntax there is different? Asking because currently we have a single search-head|indexer machine which I can't restart freely each time I want to test something, so I'm looking for another way to make sure it will work. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All