- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex is kicking my butt
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex is kicking my butt
So I'm attempting to drop events from the windows security logs at the indexer so I've created a props.conf that is this:
[source::WinEventLog:Security]
TRANSFORMS-set=setnull, setparsing
and my transforms.conf is:
Exclude windows events
[WinEventLog:Security]
REGEX = (?m) EventCode=(5156).
DEST_KEY = queue
FORMAT = nullQueue
So I'm a Splunk newbie and have struggled/searched/restarted my test instance countless times with still no success. These conf files are in the /opt/splunk/etc/system/local/ and I've yet to even get one event to hit the null queue??? Help!!! thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any idea why this stopped working? Where do I start troubleshooting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. (5125|4267|1337) etc
I don't know if there is a risk that you'll match 5-digit EventCodes by accident, i.e. 1234 could also match 12345 Might want to add \b at the end of your string.
REGEX=(?m)EventCode=(1234|3456|6789)\b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, thanks Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, thanks Kristian
Now to add other events I just | them correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem lies in how you name/define the transform. In props.conf, you call for two transforms to take place. But these are not found in transforms.conf. Also, for wineventlogs, you do not need to do source:: in props.
And you don't need the setparsing transform either. From the example in the docs, that is used when you want discard all events (to the nullQueue), and then change back to the parsingQueue for those events that match the regex.
Try this instead.
props.conf
[WinEventLog:Security]
TRANSFORMS-set=setnull
transforms.conf
[setnull]
REGEX = (?m)EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
Hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This operation takes place during the parsing phase. So the configuration must be on the first of the following in your chain from source log to indexed data; a Heavy Forwarder or an Indexer. See the following page;
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
No, dropped data does not count towards the license.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would this need to go on a indexer or search head in a cluster? Does the dropped data count toward license?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
EDITED:
Follow Kristian answer...
Regards
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
