- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to exclude sending logs to heavy forwarder whi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following are my transforms.conf and props.conf in my cluster master
transforms.conf
[send_to_heavyforwarder]
SOURCE_KEY = _meta
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))
DEST_KEY = _TCP_ROUTING
FORMAT = heavyforwarder_output
props.conf
[default]
TRANSFORMS-heavyforwarder= send_to_heavyforwarder
Which is used to send the logs to a heavy forwarder for only the fields in regex condition specified in transforms.conf matched which is below
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))
Now I need to send one more id (whose field value is ABC-3) to the heavyforwarder but instead of sending the whole logs to heavyforwarder I need to exclude sending logs to heavyforwarder when an username field ends with string "TEST". For that I have modified my regex in transforms.conf as below
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) | (logtype::SAT.*id::ABC-3.*username!::[a-zA-Z]{2,3}-+.*?-TEST)
Could anyone verify the above regex and confirm me if I used the right condition to satify the requirement. If not, what could be the proper REGEX syntax to be applied for my transforms.conf.
Any help could be great.
Note :- username is also a meta data field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (using negative-lookahead😞
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))
See here for validation:
https://regex101.com/r/Vehygk/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (using negative-lookahead😞
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))
See here for validation:
https://regex101.com/r/Vehygk/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you need to validate your regex try using www.regex101.com
You can post you expression and some logs and you get to see what is captured
Hope this helps
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am good with the Regex. I have tested it and it worked. I'm trying to see if my syntax under the transforms.conf is correct especially I need to use a not operator and so for that I have used "!". Wanted to check if that's the correct syntax format. @diogofgm
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
