What do you mean by "end of log"? Splunks returns results from search (and operates on them with streaming commands) one event at a time. Futrthermore, rex's sed doesn't accept any other modifiers than "g" or a number which means that it won't work in multiline mode. So best you can do with sed-mode is append a string at the end of the line. It's meant for data anonymization rather than some fancy sed-voodoo. If you only want to append a string to the end of the event, why don't you just do eval appending said string to the _raw field? ... View more

Hi @jazzijeff, yes, its possible. You can do it on Heavy Forwarders (when present) or on indexers (without HFs). The way to do this are (as described at https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata#Anonymize_data_with_a_regular_expression_transform : the SEDCMD command in props.conf, props.conf and transforms.conf. It's the same thing that anonymize data, because you have to do a transformation on you data: in this case you have to transform the _row log that matches a regex in the same log adding the string "<Review Required>" , something like this in props.conf: [your_sourcetype] SEDCMD-add_string = s/.*your_string.*/.*your_string.*\<Review Required\>/g  Ciao. Giuseppe ... View more