Solved: Can I test SECCMD from command line using oneshot?

markconlin · ‎08-04-2017

I am attempting to test a SEDCMD for event manipulation and it does not appear this is possible via oneshot?
When I try to test SEDCMD in my props.conf it never appears to work.

props.conf

[testst]
SEDCMD-xml = s/"xml":/"chicken":/

my command line attempt to test it

$./splunk add oneshot test.json -sourcetype testst -index mytest

my test event

{ "xml":"<Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:awsse=\"http://xml.chicken.com/2010/06/Session_v3\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><Header><To>http://www.w3.org/2005/08/addressing/anonymous</To><From><Address>..... AND SO ON BIG GIANT NASTEY XML",
  "other3":"even more stuff"}

proof this sed works on the command line

$ cat fakeevent.json | sed -e 's/"xml":/"chicken":/'
    { "chicken":"<Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:awsse=\"http://xml.chicken.com/2010/06/Session_v3\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><Header><To>http://www.w3.org/2005/08/addressing/anonymous</To><From><Address>..... AND SO ON BIG GIANT NASTEY XML", "other3":"even more stuff"}

markconlin · ‎08-04-2017

Ah - I forgot to restart. All is well. oneshot will test sourcetype SEDCMD lines in props.conf IF you remember to restart.

View solution in original post

markconlin · ‎08-04-2017

Ah - I forgot to restart. All is well. oneshot will test sourcetype SEDCMD lines in props.conf IF you remember to restart.

Can I test SECCMD from command line using oneshot?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!