I'm pulling Exchange Activesync information from our IIS logs on OWA and I want to perform a transform on Apple devices to make readability easier (To allow us to determine which HW/SW version the user is running). It's fairly simple, but I'm new to Splunk and something isn't working quite right.
I created a props.conf file here: $SPLUNK/etc/system/local/props.conf . This file isn't complete, I just filled in a few values for testing, but the search results still show the unmodified logs.
[owa]
SEDCMD-activesync=s/Apple-iPhone3C1/Apple-iPhone4/g
SEDCMD-activesync=s/Apple-iPhone2C1/Apple-iPhone3GS/g
SEDCMD-activesync=s/Apple-iPhone1C2/Apple-iPhone3G/g
For the first transformation, I want to substitute "Apple-iPhone3C1" for "Apple-iPhone4" in the "owa" log.
Thank you.
... View more