- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to filter the logs when a username field ends ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following are my transforms.conf and props.conf in my cluster master which are sending all the logs for the below search
logtype=SAT (id="ABC-1" OR id="ABC-2")
transforms.conf
[send_to_heavyforwarder]
SOURCE_KEY = _meta
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))
DEST_KEY = _TCP_ROUTING
FORMAT = heavyforwarder_output
props.conf
[default]
TRANSFORMS-heavyforwarder= send_to_heavyforwarder
Now, I want to filter the events when the below search condition met
logtype=SAT id="ABC-2" username="anything that ends with -TEST"
In order to filter the events that match the above condition how to modify my REGEX in transforms.conf. I think I need to use to something like negative look-back but not sure what could be my new syntax that filters the events when username ends with "-TEST"
Any help would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this ?
(logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-TEST)
OR
logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-TEST
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this ?
(logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-TEST)
OR
logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-TEST
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mayurr98 I actually want to exclude any logs which contain "-TEST" at the end of username. The above answer will work if I wanted to include those logs.
I am trying to find the right syntax for excluding those something like nagative look-back's.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
https://regex101.com/r/QhCN5V/1
logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-(?!TEST)
OR
logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-(?!TEST)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @mayurr98 . It almost worked great but what could be the regex if my username values are as follows
abc-def-ghi
jkl-mno-TEST
agh_123
ghk-TEST
Among the above 4 examples. Now, I just want to filter the username value's that ends with -TEST
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
