We are trying to remove few lines from log files before indexing using SEDCMD command in props.conf.
We are using universal forwarder and we have only one Splunk Enterprise server.
Search and Index are both installed in that Splunk Enterprise server.
For testing purpose we have written the below command in props.conf (D:\SPLUNK\etc\apps\search\local) in the Splunk Enterprise server.
[sourcetype]
SEDCMD-alter=s/Lastline//g
We were expecting that the word 'Lastline' will not appear in the search but it didn't work.
Could you please suggest anyway to solve this.
Many thanks
↧