Refine your search:

sedcmd not being applied

2

I am trying to remove the extra description text that gets appended to windows 2k8 logs using SEDCMD in props.conf. However, I can't seem to get it to work, no matter what i use as my expression. I am receiving events from a light forwarder on a windows box that is pulling the events using WMI from our domain controllers. The indexer is actually a linux box.

This is what I have in props.conf

[source::WMI:WinEventLog:Security]
SEDCMD-remwinstr = s/(?ism)This event is generated.*$//g

Nothing is being removed. I've tried all kinds of variations on both the stanza name as well as the regular expression itself. I've tried just [WMI:WinEventLog:Security], [WMI:WinEventLog*], [WMI*], and even the name of one of the hosts: [host::<hostname>]

I've also tried different variations of the regex. Even something like this doesn't do any replacement:

SEDCMD-remwinstr = s/(?ism)This/That/g

I've tried with and without (single or double) quotes around the entire part after the = as well. Thoughts?

asked 03 Feb '11, 15:20

ajs07635's gravatar image

ajs07635
555
accept rate: 50%

edited 03 Feb '11, 16:12

ftk's gravatar image

ftk ♦
6.8k1727

Have you restarted Splunk after putting your SEDCMD stanza in place?

(03 Feb '11, 16:15) ftk ♦

yep. every time I make a change, I restart splunk through the manager UI.

(03 Feb '11, 16:23) ajs07635
One Answer:
oldestnewestmost voted
1

The problem is that the source of WMI:WinEventLog:Security is not actually set to WMI:WinEventLog:Security at the time that the rule is being matched. There is in fact a TRANSFORM that occurs at index time that sets the source to the value you see. Since it's not yet set, the [source::] stanza rule you have does not match against the data.

You'd actually a stanza to match against sourcetype [wmi] to have it take effect. The problem here is that this will hit all WMI data, not just the Security Windows Event Log. That might be okay, though there will be a (small) performance cost.

link

answered 03 Feb '11, 20:58

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

That worked. I will have to watch the performance as we will be looking at several million events a day just from all the DCs. Is it not possible to specify a sourcetype of [wmi:wineventlog:security] as that is what is shown in the search results, or is the sourcetype changed via a transform as well?

(03 Feb '11, 21:36) ajs07635

Same problem with sourcetype I'm afraid. It is transformed at the same time as source. On the other hand, several million events per day isn't that much for a standard Splunk server to handle.

(04 Feb '11, 01:29) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×35

Asked: 03 Feb '11, 15:20

Seen: 914 times

Last updated: 03 Feb '11, 20:58

Related questions

SEDCMD pattern replacement not working

sedcmd no longer being applied after upgrade to 4.2

SEDCMD not executing

remove space and tab char between from ">" "<\"

SEDCMD tab insert

SEDCMD to anonymize CC data isnt working

SEDCMD is not working

SEDCMD help with Windows DNS logs

Index time SEDCMD not applying when indexer is split from search head

Copyright © 2005-2012 Splunk Inc. All rights reserved.