Splunk Search

How do you write a regular expression for all events with a certain string?

colbymahan
Explorer

I want to blacklist or send to nullqueue ANY event with a particular phrase. I can use the literal string and just escape the . with a / but I can't figure out how to wildcard everything before and after that string. Not accounting for the varying other parts of the message is causing no results to be returned when I test the regular expression.

EventCode="0"
Message: date stuff mixed characters WARN This.Thing.Right.Here more random stuff and characters

The bold text is what I want to trigger the blacklisting. How do I indicate that the other stuff can be whatever and i don't care?

0 Karma

lguinn2
Legend

In general, Splunk regular expressions are unanchored. If you are using a REGEX in transforms.conf, your regular expression does not need to match the entire event. So it could be

REGEX=WARN This\.Thing\.Right\.Here

and that should work! Please post more specifics if it doesn't.

cpetterborg
SplunkTrust
SplunkTrust

Have you tried using [\s\S]* for your "everything"? It will usually catch all returns as well.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...