cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
dbuehler
Loves-to-Learn Everything
Member since: ‎05-04-2020
‎11-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-04-2020
Activity Feed
View All

Re: Modify Field with Regex at Index Time

by in Splunk Search
‎11-04-2020 11:10 AM
‎11-04-2020 11:10 AM
That regex works just the same in manual tests, but does not work when applied as a SEDCMD in props.conf. It seems clear my props SEDCMD is not being applied to my data at all. If I run: /opt/splunk/bin/splunk btool --debug props list |grep SEDCMD I see my setting showing up in the output. Is there any other way to troubleshoot if my SEDCMD is being applied? ... View more

Re: Modify Field with Regex at Index Time

by in Splunk Search
‎11-04-2020 09:59 AM
‎11-04-2020 09:59 AM
For some reason my props.conf config isn't being applied to my data. I've found that this is the regex I need: s/,+[.0-9\:a-z]*//g And this regex works perfectly when run manually, i.e. using a sed command against a text file with a sample event: cat sample.txt | sed 's/,+[.0-9\:a-z]*//g' My props.conf (placed on my two indexers in /opt/splunk/etc/apps/my-iis-app/local) is configured to apply to the 'iis' sourcetype, which is correct, and looks like: [iis] SEDCMD-remove-extra-ips = s/,+[.0-9\:a-z]*//g After restarting Splunk, the events are coming in un-modified. It appears the regex isn't being applied at all, as even if I change my config to a very simple test regex, that doesn't work either, e.g.: [iis] SEDCMD-test = s/10/test/g Any ideas? ... View more

Re: Modify Field with Regex at Index Time

by in Splunk Search
‎10-28-2020 05:33 AM
‎10-28-2020 05:33 AM
Thanks, I was looking into SEDCMD originally, I've used it for other purposes before. Can SEDCMD operate on just one field? Or does it have to operate on the entire event (_raw)?   ... View more

Modify Field with Regex at Index Time

by in Splunk Search
‎10-27-2020 02:21 PM
‎10-27-2020 02:21 PM
Hey guys,   I have IIS logs that are logging multiple IPs to the X-Forwarded-For field as below:    114.119.136.78,+162.158.119.25     I would like to apply a regex to the X-Forwarded-For field at index time to ensure the field only contains the first IP, like:   114.119.136.78     In other words, anything after the first comma should be cut out of the field.   So far I have tried to achieve this with the following props/transforms:   #props [iis] TRANSFORMS-rm-extra-ips = rm_extra_ips #transforms [rm_extra_ips] SOURCE_KEY = field:X_Forwarded_For REGEX = ^(.+?),     How do I do this? Thanks! ... View more
Labels

How do I blacklist events with a field containing ...

by in Getting Data In
‎05-04-2020 01:45 PM
‎05-04-2020 01:45 PM
I have a set of JSON data and I would like to ignore (blacklist) all events where the field "id.orig_h" contains the value "192.168.0.1". So far, I've tried using the blacklisting procedure for Windows EventCodes as a model, but with no success. Example EventCode blacklist: [WinEventLog:Security] blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)" What I've tried: 1) Adding the blacklist underneath the monitor stanza in inputs.conf [monitor:///opt/bro/logs/current] index = yada sourcetype = yadayada blacklist = id.orig_h = "192.168.0.1" 2) Adding the blacklist under a separate sourcetype stanza in inputs.conf [monitor:///opt/bro/logs/current] index = yada sourcetype = yadayada [yadayada] blacklist = id.orig_h = "192.168.0.1" How can I achieve this? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-05-2020 10:46 PM