Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter event data using conditional regex

anshul0915
Explorer
‎09-22-2017 09:56 PM

HI All,

Below is my raw event data .
{"FormatVersion":"1.1","StartTime":"2017-09-22T01:11:38.565Z","EndTime":"2017-09-22T01:11:39.468Z","EventType":"Login","Result":"Success","UserId":"dmorand","TerminalId":"172.16.3.85","SessionId":"RCIcAM1DxUYmG7WMDMkEuQXyGTpOqcBMtyrGOPpFUPU=","LoginUri":"/login-auth/saml","EventSource":"Platform","ServerHostname":"fe02.hbc.stage.us-west-2.orionsaas"}

I want event indexing like below condition.
1. IF "EventType":"Login" and "LoginUri":"/login-auth/saml" the index those event. means we need to discard those event in which event type = login and login uri != /login-auth/saml
2. if "EventType":"Login" and "LoginUri" is not present then index those event
3. If in logs event type not equal to login then index those events also

please help for making this regex .

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-24-2017 09:54 AM

Props.conf

 [sourcetypeName]
 KV_MODE=json
 INDEXED_EXTRACTIONS=true
 TRANSFORMS-toNull=toNull

Transforms.conf

 [toNull]
 REGEX= .*^((?!EventType":"Login".*LoginUri":"\/login-auth\/saml).*)
 DEST_KEY=queue
 FORMAT=nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-24-2017 09:54 AM

Props.conf

 [sourcetypeName]
 KV_MODE=json
 INDEXED_EXTRACTIONS=true
 TRANSFORMS-toNull=toNull

Transforms.conf

 [toNull]
 REGEX= .*^((?!EventType":"Login".*LoginUri":"\/login-auth\/saml).*)
 DEST_KEY=queue
 FORMAT=nullQueue
0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎09-24-2017 10:09 AM

Needs to be on the forwarder(s) and indexer(s). Will only apply to new data that is indexed after the settings are in placeZ

0 Karma
Reply
Solved! Jump to solution

anshul0915
Explorer
‎09-24-2017 10:41 AM

Why on both places configuration required . On only indexer will it not work??

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎09-25-2017 11:26 AM

INDEXED_EXTRACTIONS has to be on the forwarder. The queue routing happens on first full Splunk instance (heavy forwarder or indexer).

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎09-24-2017 05:04 AM

what does the last point 'if "EventType":"Login" not equals to Login index those event' mean?

0 Karma
Reply
Solved! Jump to solution

anshul0915
Explorer
‎09-24-2017 05:10 AM

If in logs event type not equal to login then index those events also

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎09-24-2017 08:20 AM

one last question - do you want to extract them in the conf files before getting indexed or you want to write a post search regex to extract ONLY these events using regex for this particular use case?

0 Karma
Reply
Solved! Jump to solution

anshul0915
Explorer
‎09-24-2017 08:44 AM

Want in conf file before getting indexed

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...