- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Regex Expression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Regex Expression
Below is the raw data that am getting. I want to extract the events where category is Error.
For this am doing this in props.conf.
[source::d:\TGNI\Logs*.log]
TRANSFORMS-null= setnull
Correction to transforms.conf
[setnull]
REGEX = (?m)Category\:\sInfo
DEST_KEY = queue
FORMAT = nullQueue
Is this the right way to do? Cant seem to get the regex expression right i guess. I still see the info events
1 » 2/18/13
6:48:54.000 PM
Timestamp: 2/18/2013 6:48:54 PM
Category: Error
Machine: devmundia01
IP Address:
Customer ID:
Request URL:
Referrer URL:
Browser Name:
Browser Version:
User Agent:
Show all 24 lines
host=devmundia01 Options| sourcetype=mundiaerr Options| source=d:TGNILogstgni-mundia.2013-02-19.log Options
2 » 2/18/13
6:48:53.000 PM
Timestamp: 2/18/2013 6:48:53 PM
Category: Info
Machine: devmundia01
IP Address: 10.6.8.28 (3yu4xv0x5bbyk5345sqcbegq)
Customer ID:
Request URL: http://10.13.65.105/
Referrer URL:
Browser Name: Jakarta Commons-HttpClient
Browser Version: 0.0
User Agent: Jakarta Commons-HttpClient/3.0.1
Show all 16 lines
host=devmundia01 Options| sourcetype=mundiaerr Options| source=d:TGNILogstgni-mundia.2013-02-19.log Options
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pdash,
I'm not 100% sure but I think Splunk doesn't need colon ( : ) escaped. Try removing backslash before it.
Regards,
Stefano
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your regex I think should work- but you need to escape the backslashes in your source path:
[source::d:\\TGNI\\Logs*.log]
From the props.conf.spec:
**Considerations for Windows file paths:**
When you specify Windows-based file paths as part of a [source::<source>] stanza, you must escape any backslashes contained within the specified file path.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes. inside system/local
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where do you have this configuration, on the indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
these are coming in after i changed the conf files in indexers and restarted splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you restart Splunk after you set this up? Are these events still coming in even after this, or are these sample events from before you set up the filter?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
