index time SED from props.conf

jbower · ‎01-09-2012

Are the SED commands in props.conf excuted in order? In other words

Note: (All the following is under [default])

Can I write a test to set a field so it will fail a SED test

SEDCMD-callid =s/(.*callid)(=)(.*)/\1~\3/g

then run the main SED test

SEDCMD-ssnmask = s/(.*[ :=;,])(?!000)(?!666)(?!9)\d{3}[ -](?!00)\d\d[ -](?!0000)(\d{4}[ =;,&].*)/\1###SSN-SCRUBBED###\2/g
SEDCMD-ssnmask1 = s/(.*[ :=;,])(?!000)(?!666)(?!9)\d{3}(?!00)\d\d(?!0000)(\d{4}[ ;,&=].*)/\1###SSN-SCRUBBED###\2/g

and then change it back

SEDCMD-callid_fix =s/(.*callid)(~)(.*)/\1=\3/g

or might the indexer not always run the SED commands in that order?

jbower · ‎01-10-2012

I found how you do it (put all the SED commands on one line)
so

SEDCMD-Master = s/(.[ :=;,])(?!000)(?!666)(?!9)d{3} -dd -(d{4}[ =;,&].)/1###SSN-SCRUBBED###2/g s/(.[ :=;,])(?!000)(?!666)(?!9)d{3}(?!00)dd(?!0000)(d{4}[ ;,&=].)/1###SSN-SCRUBBED###2/g

and then thay will get excuted in order.

index time SED from props.conf

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms