×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
best-west
Explorer
Member since: ‎11-06-2024
‎11-07-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎11-06-2024
Activity Feed
View All

Re: SEDCMD not working in Splunk Cloud

by in Getting Data In
‎11-06-2024 10:29 AM
‎11-06-2024 10:29 AM
Thank you for responding! Yes, it's coming from syslog server with UF installed going to Cloud. I unfortunately don't have any HFs available for use and setting up another one at this time is not an option for me. ... View more

Re: SEDCMD not working in Splunk Cloud

by in Getting Data In
‎11-06-2024 10:23 AM
‎11-06-2024 10:23 AM
Hi! Thank you so much for your response and explanation. It seems like maybe I have not properly deployed these to the indexing tier. Forgive me for the beginner question, but I think the sourcetype I created already belongs to the 000-self-service app - is this what you meant by deploying the config using self service? Screenshot below (I didn't capture the full sourcetype name):      ... View more

Re: SEDCMD not working in Splunk Cloud

by in Getting Data In
‎11-06-2024 09:17 AM
‎11-06-2024 09:17 AM
Replied to my own post. Derp. 🙂 Hi! Thank you so much for your response and explanation. It seems like maybe I have not properly deployed these to the indexing tier. Forgive me for the beginner question, but I think the sourcetype I created already belongs to the 000-self-service app - is this what you meant by deploying the config using self service? Screenshot below (I didn't capture the full sourcetype name):   ... View more

SEDCMD not working in Splunk Cloud

by in Getting Data In
‎11-06-2024 05:57 AM
‎11-06-2024 05:57 AM
I have syslogs coming into Splunk that need some cleaning up - it's essentially JSON with a few extra characters here and there (but enough to be improperly formatted). I'd really like to be able to use KV_MODE = json to auto extract fields, but those additional characters prevent this from happening. So I wrote a few SEDCMDs to remove those additional characters and applied the following stanzas to a new sourcetype: However, in our distributed Splunk Cloud environment, these SEDCMDs are not working. There are no errors in the _internal index pertaining to this sourcetype, and I can tell the sourcetype is applying because any key/value pairs in the data that pop up before the extra characters are automatically extracted at search-time as expected (so at least I know the KV_MODE stanza is trying to work). Because the SEDCMDs are not removing the extra characters, the other fields are not being auto-extracted. In my all-in-one test environment, the SEDCMDs work perfectly alongside KV_MODE to clean up the data and pull out the fields. I can't quite determine why it isn't working in Cloud - the syslog servers forwarding this data have Universal Forwarders so I understand why the sourcetype isn't applying at that level... but this sourcetype should be hitting the indexers and applied there, no? What am I missing?    ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-07-2024 02:46 PM
Karma given to
View All