Getting Data In

sedcmd no longer being applied after upgrade to 4.2

ajs07635
Explorer

I have a splunk indexer running on Linux that i recently upgraded to 4.2 and a lightforwarder running on a windows 2k8 that i upgraded to the universal forwarder. After the upgrade, the sedcmd line i have in the props.conf on my indexer doesn't appear to be working any more. I was using it to strip extraneous description text from server 2k8 logs. The logs are still showing up

The line in props.conf looks like this:

[wmi]
SEDCMD-remwinstr = s/(?ism)(This event is generated|Certificate information is only provided).*//g

I believe there is another question that has been asked that i think might be relevant as its happening here as well:

Universal Forwarder: WMI Hostname Config Ignored

For completeness, here is the wmi.conf file on the universal forwarder:

[WMI:DomainControllerLogs]
server = <host1>, <host2>, <host3>, <host4>
interval = 10
disabled = 0
event_log_file = Security
current_only = 0
1 Solution

ajs07635
Explorer

It appears this was the result of a bug that has been fixed in the 4.2.1 release. Both the forwarder AND the indexer must be updated for this issue to be corrected.

View solution in original post

ajs07635
Explorer

It appears this was the result of a bug that has been fixed in the 4.2.1 release. Both the forwarder AND the indexer must be updated for this issue to be corrected.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...