Real novice here. I am ingesting a sourcetype into Splunk, and want to filter out any events with the word "FAILED" right after the first IP address.`
Below is my props in etc\apps\search\local
[sslbcoat1]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
TRANSFORMS-null = setnull
`
and then here's my transforms where I THOUGHT I was carving out failures and sending them to null:
[geo_us_states]
external_type = geo
filename = geo_us_states.kmz
[geo_countries]
external_type = geo
filename = geo_countries.kmz
[geo_attr_us_states]
filename = geo_attr_us_states.csv
[geo_attr_countries]
filename = geo_attr_countries.csv
[setnull]
REGEX = ^.+(F...).+$
DEST_KEY = queue
FORMAT = nullQueue
The regex might be wrong, but somehow I don't think that's the problem. Thanks and any insight would be appreciated.
Sample event:
014-04-17 13:50:22 2 10.3.31.70 FAILED - - - - 199.83.168.160 - - - none - - - - none - - 163.252.254.201 SG-SSL-Proxy-Service - 58642
Your regex looks really off - copy&paste error? If not, all it does is look for the capital F followed by some characters.
This should be better: \s\d+\.\d+\.\d+\.\d+\s+FAILED
Note, this doesn't actually match only IPv4 addresses, but it should be correct enough. Additionally, it doesn't check if it's the first IP that's being followed by FAILED
- address that if you expect events that contain FAILED after a later IP that you want to keep, for example by only looking N words deep into the event from the beginning, as these look like syslog-ish headers.
There is an app for Bluecoat ProxySG on Splunkbase, that might help you a lot with field extraction and stuff.