Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SEDCMD not working on Heavy forwarder and Http Event Collect?

clorne
Communicator
‎03-16-2023 09:13 AM

Hello,

I have data collected through a Splunk HEC on a Heavy Forwarder.

The data has this structure:

2023-03-16T16:59:01+01:00 serverIP event_info [data1][datat2] {json_data}.

I want to get the json_data indexed as raw data. I have tried several regex with SEDCMD. I have tried several regex that are all working on a standalone Splunk but they have no effect with the configuration Splunk HF->Splunk IDX

Here is my latest SEDCMD: SEDCMD-json=s/^[^{]+//g

Currently there is no TA on the Splunk indexer and I am wondering if this is the cause of the issue. Is SEDCMD compatible with HEC ? 

Regards

Tags (1)
0 Karma
Reply

clorne
Communicator
‎03-16-2023 12:29 PM

This only difference is that this is not a json data and the SEDCMD is successful and it is not done on the indexer.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2023 01:22 PM

The document I linked to is not canonical so it may have errors.  If you found instances where SEDCMD works then that's the better answer.

---
If this reply helps you, Karma would be appreciated.
Reply

clorne
Communicator
‎03-16-2023 12:28 PM

I am still checking on other TA. But I have seen one where the SEDCMD is working with the HEC collection. Therefore I do not know what to think 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2023 10:58 AM

HEC events pass through a different pipeline that doesn't include SEDCMD.  See https://www.aplura.com/assets/pdf/hec_pipelines.pdf

---
If this reply helps you, Karma would be appreciated.
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-16-2023 03:24 PM

Actually, this document shows that hec-ingested events go through filtering/ routing . They just might skip timestamp parsing and line breaking/ line merging. Generally speaking, events pushed to hec should get through transforms normally (including sedcmd).

Question is whether the props calling those transforms are properly configured (right sourcetype/source/host), are the transforms called at all and so on.

0 Karma
Reply

clorne
Communicator
‎03-17-2023 11:05 AM

Yes, the configuration is correct. At the beginning we had a complicated transform to remove the header. It was working partially 75%, therefore we decided to use the SEDCMD.

0 Karma
Reply

clorne
Communicator
‎03-16-2023 12:12 PM

Hello,

Thanks for your reply Richgalloway.

So, do you think that put the TA (at least the sedcmd part) on the indexer would solve my problem ?

I just checked in the other TAs used by  my company and it seems that they have put the TA on the HF AND on the indexer. Therefore SEDCMD should work on it ?

Regards

Céline

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-18-2023 02:47 AM

Events are parsed on the first "heavy" component they go through (unless there is some very strange configuration in place which skips some queues) so your HEC-ingested events _should_ be processed on the HF and pushed as parsed to indexers where they would not be touched anymore.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...