I want to blacklist or send to nullqueue ANY event with a particular phrase. I can use the literal string and just escape the . with a / but I can't figure out how to wildcard everything before and after that string. Not accounting for the varying other parts of the message is causing no results to be returned when I test the regular expression.
EventCode="0"
Message: date stuff mixed characters WARN This.Thing.Right.Here more random stuff and characters
The bold text is what I want to trigger the blacklisting. How do I indicate that the other stuff can be whatever and i don't care?
In general, Splunk regular expressions are unanchored. If you are using a REGEX in transforms.conf, your regular expression does not need to match the entire event. So it could be
REGEX=WARN This\.Thing\.Right\.Here
and that should work! Please post more specifics if it doesn't.
Have you tried using [\s\S]*
for your "everything"? It will usually catch all returns as well.