The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkGeneral: Indexes processing with sed

Previous Topic: Extracting data from splunk (vcard)  |   Next Topic: event difference between forwarder and receiver


Posts 1–2 of 2
1
posted by: donypie  |  posts
date: December 2, 2009
permalink

Hello all,

I have to suppress some fields in events before indexing. I think I have to use sed.

I try to test it but it does not work. I have defined in /opt/splunk/etc/system/local a file props.conf with

[source::.../messages]
SEDCMD-messages = s/(.+donypie).+(Pierre).+(you)/work\3/g

When I send Hi Pierre how are you doing to syslog with a logger command, I have to see after the sed only : work you because I replaced the regex I have matche with work and field 3 = you.

But it does not work, when I go to Splunk I have the whole message not processed by the sed :

Dec 2 11:42:02 ubuntusrv1 donypie: Hi Pierre how are you doing host=ubuntusrv1 Options sourcetype=syslog Options source=/var/log/messages
Options

Can you please help me ?
Thanks
Regards
Pierre.

2
posted by: donypie  |  posts
date: December 2, 2009
permalink

Hi,

It works ! sorry for this post.

Pierre.