For some reason my props.conf config isn't being applied to my data. I've found that this is the regex I need: s/,+[.0-9\:a-z]*//g And this regex works perfectly when run manually, i.e. using a sed command against a text file with a sample event: cat sample.txt | sed 's/,+[.0-9\:a-z]*//g' My props.conf (placed on my two indexers in /opt/splunk/etc/apps/my-iis-app/local) is configured to apply to the 'iis' sourcetype, which is correct, and looks like: [iis] SEDCMD-remove-extra-ips = s/,+[.0-9\:a-z]*//g After restarting Splunk, the events are coming in un-modified. It appears the regex isn't being applied at all, as even if I change my config to a very simple test regex, that doesn't work either, e.g.: [iis] SEDCMD-test = s/10/test/g Any ideas?
... View more