In this blog we will practically perform how to add prefix using Sedcmd parameter in Splunk using props.conf.


 It is used to remove/replace/substitute/add data only  at index time. It is used to protect private or sensitive data by deleting or encrypting it. For example passwords, credit card number etc.

Splunk does not set it by default.


SEDCMD-<class-name>= s/regex /flags.

s – It is used for replacement.

Regex– It is the regular expression that captures words/string which needs to be removed/replaced.

Flag– g to replace all the matches ,or a number to replace specific match.


To add a prefix i.e., a character or group of characters at the beginning of every line.


We will be using the SEDCMD parameter in props to achieve the above objective.

Consider the following sample data:

Sample data:

Our objective is to add ” Avotrix:”  for all the events as prefixes.

Props.conf will be edited as below:





SEDCMD-prefix1=s/^/Avotrix: /g

 Explanation of props : 

SEDCMD-prefix1=s/<regex1> /<regex2>/flags

regex1 regex1 (space) to be replace.

regex2 – space will be replaced by this regex2

SEDCMD-prefix1=s/^/Avotrix: /g

 s/^/Avotrix: /g – so here in this case we want to replace start of every event with Avotrix

SEDCMD-prefix1=s/^/Avotrix: /g

SEDCMD attribute is used to replace space with Avotrix. Prefixl is the sed class name, s is used for replacement prefix word Avotrix  is written in all the events and g to replace all the matches.

 The final result should look like as below:

Note: SEDCMD happens at the parsing stage, so use it either on a heavy forwarder or on an indexer.

If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks. Happy Splunking 😉