Solved: does universalforwarder support SEDCMD?

crazyeva · ‎01-22-2014

timeformat is not desired, I tried SEDCMD to correct it(12-hour format with 'am','pm')

props.conf of INDEXER:
SEDCMD-timechar=s/XXXXX/AM/g s/YYYYY/PM/g
TIME_FORMAT=%d-%m-%y %I.%M.%S.%9N %p

but '%p' is not recognized, as SEDCMD has not been effective in the same props.conf.

I wonder if i can put SEDCMD to UNIVERSALFORWARDER, and TIME_FORMART remain on INDEXER?

gfuente · ‎01-22-2014

Hello

SEDCMD happens at the parsing stage, so it applies in a heavy forwarder or in a indexer.

Regards

View solution in original post

gfuente · ‎01-22-2014

Hello

SEDCMD happens at the parsing stage, so it applies in a heavy forwarder or in a indexer.

Regards

crazyeva · ‎01-22-2014

'TIME_FORMAT=%d-%m-%y %I.%M.%S.%9N %p' is correct when i manully modified source data with AM/PM
and 'SEDCMD' part is also effective of replacing XXYY with AM/PM
But they do not work together.

gfuente · ‎01-22-2014

If your config is correct it should work on the indexer, or you can use a heavy forwarder too. Anyway try it locally in the indexer until it works, then move your configs into the production enviroment.

crazyeva · ‎01-22-2014

thank you!
do you have any idea to solve my problem:
timestamp form '22-1-14 09.30.00.000000000 \A\C' in which '\A\C' means PM

does universalforwarder support SEDCMD?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!