Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use regex to filter out logs?

martaBenedetti
Path Finder
‎07-02-2021 01:16 AM

Hi community,

I have the need to exclude AIX logs containing a certain field value.

This is the regex the parser is using to extract vendor_action filed:

 

^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+(?<pid>\d+)\s+(?<ppid>\d+)\s+(?<user>\S+)\s+(?<process>\S+)\s+(?<vendor_action>\S+)\s+(?<status>\S+)

 

 

I'm trying to exclude events that contain vedor_action=FILE_Unlink and these are my conf file located on Heavy Forwarder:

props.conf

 

[aix:audit]
TRANSFORMS-null= setnull

 

 

transforms.conf

 

[setnull]
REGEX    = ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+\d+\s+\d+\s+\S+\s+\S+\s+FILE_Unlink\s+\S+
DEST_KEY = queue
FORMAT   = nullQueue

 

 

There are sample logs: the first one should be excluded while the second one no:

 

Fri Jul 02 10:01:49 2021 34078844 8520050  dbloader rm                              FILE_Unlink     OK          Not supported                   
        filename /tmp/CSI_ODS_M_SIA__INFO_RILANCIO.txt

Fri Jul 02 10:01:46 2021 34930828 4587668  root     root     lsvg                            FILE_Unlink     OK          
        filename /dev/__pv17.0.34930828

 

 

When I restart spunk all logs are excluded, so I think something is wrong with my REGEX even if on regex101 seems to work fine.

 

Any ideas?

Thanks a lot

Marta

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-02-2021 02:17 AM

The first one has 2 words between the numbers and FILE_Unlink whereas the second one has 3 words - your regex only caters for the first case

0 Karma
Reply

martaBenedetti
Path Finder
‎07-06-2021 08:49 AM

@ITWhisperer Do you have suggestion on how to do so?

That is filter out the first kind of log?

 

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2021 09:17 AM

I can't anything wrong with what you have posted. Which version of splunk are you using?

0 Karma
Reply

martaBenedetti
Path Finder
‎07-07-2021 12:25 AM

@ITWhisperer on HFW there is Splunk Enterprise 7.1.3.

Thought you were thinking about something 🙂

Thanks anyway!!

0 Karma
Reply

martaBenedetti
Path Finder
‎07-02-2021 02:19 AM

@ITWhisperer that's right: the first one should be excluded with nullQueue and the second one should be indexed.

The problem though is that all logs are excluded.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...