Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex not finding what I'm looking for???

cdupuis123
Path Finder
‎10-24-2013 12:16 PM

I have this event and I'm trying to send it to the nullQueue if it contains SYSTEM.

2013-10-24 15:02:34,Major,REMOVED,Allowed, - Caller MD5=61b1dfb9703d0d678e108e0156fcbb69,Create Process,Begin: 2013-10-24 15:02:20,End: 2013-10-24 15:02:20,Rule: This one is a splat | Watch these Executables,1504,C:/Program Files/VMware/VMware Tools/vmtoolsd.exe,0,No Module Name,C:/Windows/System32/net.exe,User: SYSTEM,Domain: WORKGROUP,Action Type:

source = D:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp
sourcetype = sep_behavior

My props.conf is set to this:
[sep_behavior]
TRANSFORMS-set=setnull1

And my transforms.conf is set to this:

Exclude sep:behavior system events

[setnull1]
REGEX = /User: SYSTEM/m
DEST_KEY = queue
FORMAT = nullQueue

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎10-24-2013 12:28 PM

Your regex does not look right.

You can try this:

,\User:\s\SYSTEM,

Or this if User is a field:

(?msi)^User:\sSYSTEM
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...