Solved: Need help with this REGEX that uses AND and OR

echojacques · ‎08-28-2013

I have a nullQueue setup in my transforms.conf and this regex works perfectly to drop all "service=53" OR "dst=10.10.10.10" events from getting indexed:

REGEX=(service=53|dst=10.10.10.10)

Now, I need to modify it so that it continues to drop all service=53 events but for dst=10.10.10.10, it only drops service=80 OR service=5000 events and keeps the rest. In other words, I need the regex to match this:

drop all (service=53) events
drop events when (dst=10.10.10.10 AND service=80) OR drop when (dst=10.10.10.10 AND service=5000).

To do this, I tried this regex and it didn't work:

REGEX=((service=53|(?=dst=10.10.10.10)(?=service=80|service=5000)))

I'm new to regex and any help would be great. Thanks.

Ayn · ‎08-28-2013

Assuming dst comes before service in the events:

service=53|dst=10.10.10.10.+?(service=80|service=5000)

View solution in original post

Ayn · ‎08-28-2013

Assuming dst comes before service in the events:

service=53|dst=10.10.10.10.+?(service=80|service=5000)

echojacques · ‎08-28-2013

It works, thank you!!

echojacques · ‎08-28-2013

Thanks and yes, dst comes before service. I'll test it this afternoon.

Need help with this REGEX that uses AND and OR

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!