Hello!
I have this log:
013db64db1d4,250993102139,62f0cffe,3fad,fbc3,7f08ff01
013db64db1cd,250027013354,_,3fde,fd9e,_
013db64db1ae,@,95800970,3fad,fbb1,82e01bbc
013db64db1cd,250993231395,78e0f35c,df5a,8b71,63a0d3d4
013db64db106,@,9910a7a2,3fde,890d,8320b744
I want to ignore events with @ on second position in every event on this log. What REGEX should I write in a file transforms.conf for nullQueue filtering?
Instead of the symbol @ to be read symbol _
The _ in the code for some reason does not appear.
Sorry, I new in regular expression, unfortunately.
Thanks!
"Instead of the symbol @ to be read symbol _
"
Does this mean that you would like to send all events matching "_
" (underscore) in the second position to the nullQueue?
In that case your transform/regex should be;
REGEX = ^\w+,_,
DEST_KEY = queue
FORMAT = nullQueue
Of course you could be even more specific, if you only want this nullqueueing to happen when the first position is a 12-characer hex string;
REGEX = ^[a-fA-F0-9]{12},_,
or less specific, if the first position can contain anything (apart from a comma);
REGEX = ^[^,]+,_,
Hope this helps,
Kristian
"Instead of the symbol @ to be read symbol _
"
Does this mean that you would like to send all events matching "_
" (underscore) in the second position to the nullQueue?
In that case your transform/regex should be;
REGEX = ^\w+,_,
DEST_KEY = queue
FORMAT = nullQueue
Of course you could be even more specific, if you only want this nullqueueing to happen when the first position is a 12-characer hex string;
REGEX = ^[a-fA-F0-9]{12},_,
or less specific, if the first position can contain anything (apart from a comma);
REGEX = ^[^,]+,_,
Hope this helps,
Kristian
Oh, and it seems like your events have hex timestamps, does Splunk treat that gracefully?
Thank you, Kristian!
This is just what I needed!