Refine your search:

SEDCMD not executing

0

I am trying to clean up some log data at index time using SEDCMD.

  1. I have a custom sourcetype (cloudfront_http) that is configured on the forwarding machine.

  2. On the receiver/indexer, I have added the following two lines in props.conf

    [cloudfront_http]
SEDCMD-1-AppleTV = s/Apple%A0TV/AppleTV/g

The problem is that nothing is happening. The raw text 'Apple%A0TV' is still occuring and is not getting replaced.

Any ideas?

asked 15 Feb '11, 00:21

jcbrendsel's gravatar image

jcbrendsel
1451116
accept rate: 0%

edited 15 Feb '11, 01:31

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
2 Answers:
oldestnewestmost voted
1

The SEDCMD will not retroactively change the values for data that is already indexed. Have you confirmed that it's not working on new data?

link

answered 15 Feb '11, 00:24

Ron%20Naken's gravatar image

Ron Naken
4.1k3427
accept rate: 38%

edited 15 Feb '11, 00:40

Correct. It is not working on new data. Are there any issues with orders of precedence? This is defined on a custom sourcetype which is defined in the forwarding server.

(15 Feb '11, 01:24) jcbrendsel

The SEDCMD works. Try placing it on your forwarder -- it may not be configured as a light forwarder.

(15 Feb '11, 06:44) Ron Naken

I meant to say that I tested your SEDCMD, and it works. I can't edit my comment above to change the wording.

(15 Feb '11, 08:53) Ron Naken
1

If this is a light forwarder, SEDCMD will not run there, and must be run on the indexer. Please see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more details

link

answered 15 Feb '11, 01:32

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

I am running SEDCMD on the indexer. But the data is coming from another machine (which is configured as a forwarder).

(15 Feb '11, 08:50) jcbrendsel

And the forwarder is a light forwarder? Or heavy? And there is no intermediate forwarder?

(15 Feb '11, 22:06) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×35

Asked: 15 Feb '11, 00:21

Seen: 1,115 times

Last updated: 12 Apr '11, 16:22

Related questions

sedcmd not being applied

SEDCMD pattern replacement not working

remove space and tab char between from ">" "<\"

SEDCMD tab insert

SEDCMD to anonymize CC data isnt working

SEDCMD is not working

Correct syntax for syslog source in props.conf for SEDCMD

New line appears in event as "\n" -- how can I replace them with a new line?

help with SEDCMD

Copyright © 2005-2012 Splunk Inc. All rights reserved.