Splunk is indexing a CSV file that contains an IP address and it looks something like this:
"Windows 7","SSHEFFIER8GDAOC","010.003.002.059","101BD9089D18"
The IP has leading zeros which I need removed and prefer to do so at index time, so based on what I've seen in the forums here I added the following SEDCMD line to the relevant props.conf file:
[my:sourcetype]
...(some field extractions)....
EXTRACT-LD_IPAddress = (?:[^"\n]"){17}(?P[^"]+)
SEDCMD = s/(src=|dst=)0([^.]+.)0*([^.]+.)0*([^.]+.)0*(\d+)/\1\2\3\4\5/g
This seems to have no effect on the data. I double checked that the props.conf file was deployed to the indexers. Is there something wrong with the way I did the SEDCMD (what is src & dst?)? Could it be that the SEDCMD needs to be placed before the EXTRACT lines in props.conf? Also, I wonder if the quotes around the IP address could be affecting this?
Thanks for your help.
... View more