In this blog we will practically perform how to add prefix using Sedcmd parameter in Splunk using props.conf.
SEDCMD
It is used to remove/replace/substitute/add data only at index time. It is used to protect private or sensitive data by deleting or encrypting it. For example passwords, credit card number etc.
Splunk does not set it by default.
Syntax
SEDCMD-<class-name>= s/regex /flags.
s – It is used for replacement.
Regex– It is the regular expression that captures words/string which needs to be removed/replaced.
Flag– g to replace all the matches ,or a number to replace specific match.
Objective:
To add a prefix i.e., a character or group of characters at the beginning of every line.
Solution:
We will be using the SEDCMD parameter in props to achieve the above objective.
Consider the following sample data:
Sample data:
Our objective is to add ” Avotrix:” for all the events as prefixes.
Props.conf will be edited as below:
[sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{8}
NO_BINARY_CHECK=true
SEDCMD-prefix1=s/^/Avotrix: /g
Explanation of props :
SEDCMD-prefix1=s/<regex1> /<regex2>/flags
regex1 – regex1 (space) to be replace.
regex2 – space will be replaced by this regex2.
SEDCMD-prefix1=s/^/Avotrix: /g
s/^/Avotrix: /g – so here in this case we want to replace start of every event with Avotrix
SEDCMD-prefix1=s/^/Avotrix: /g
SEDCMD attribute is used to replace space with Avotrix. Prefixl is the sed class name, s is used for replacement prefix word Avotrix is written in all the events and g to replace all the matches.
The final result should look like as below:
Note: SEDCMD happens at the parsing stage, so use it either on a heavy forwarder or on an indexer.
If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks. Happy Splunking 😉
