Hi everyone,
I am having difficulty filtering events via my props/transform.conf files. Below are my key stanza's from my transforms and props.conf files. My question is in regard to regular expressions. If I want to filter out something such a *NIX path like /opt/WVRTSralus/bin/beremote
; do I have to replace the / with a REGEX \W
to get exe\W\W\Wopt\WVRTSralux\Wbin\Wberemote\W, as I have outlined below?
Or can I get away with REGEX = (exe=opt//opt/WVRTSralus/bin/beremote)
Transforms.conf-----
[setnull]
LOOKAHEAD = 100000
REGEX = (\Wopt\WMcAfee\W|opt\Wvmware\Wtools\W|\Wopt\WNAI\W|\Wusr\Wshare\Wlocale\W|\W\Wso|\W\Wso\W\d|\Wusr\Wshare\Wlocale\W|\Wopt\Wsplunkforwarder\W|\Whome\Wbserver\WCode\W|proc\Wnet\W|exe\W\W\Wopt\WVRTSralux\Wbin\Wberemote\W)
DEST_KEY = queue
FORMAT = nullQueue
props.conf ------
[source::/var/log/audit/audit.log]
TRANSFORMS-null=setnull
If you want to filter on the path, then the regular expression is the path:
[setnull]
REGEX=/opt/WVRTSralus/bin/beremote
...
If you want multiples, you can use the |
- I add the ()
for clarity
[setnull]
REGEX=(:/opt/WVRTSralus/bin/beremote)|(:/opt/splunkforwarder)
...
If your paths have \
, then you need to double them \\
I am not sure why you want all the \W
- nothing in the path names is being wildcarded and nothing is a special character to regex.
If you want to filter on the path, then the regular expression is the path:
[setnull]
REGEX=/opt/WVRTSralus/bin/beremote
...
If you want multiples, you can use the |
- I add the ()
for clarity
[setnull]
REGEX=(:/opt/WVRTSralus/bin/beremote)|(:/opt/splunkforwarder)
...
If your paths have \
, then you need to double them \\
I am not sure why you want all the \W
- nothing in the path names is being wildcarded and nothing is a special character to regex.
Weird the "/" or the "\W" does not seem to render properly...
Thanks Iguinn, I will try that now. I thought you needed the \W to replace the / in the path name. If that is not needed, then great.
I had tried using the regex as you initially stated, but it failed to work over the weekend and consequently, I ended up indexing 5M+ transactions over a 5 hour period. I'll try seperating each "filter" with brackets you suggest asI agree, they do help in in reading the REGEX statement.