Need help on REGEX to filter off events

remy06 · ‎12-14-2010

I'm trying to filter off events based on the following command: CMD for example.

Heres the sample event and my configuration:

Dec 11 23:53:49 10.138.20.37 Dec 11 23:51:54 myServer ABC:0|ABC|XYZ|1.0|ABC0001|A command (CMD) was run.|3|src=1.2.3.4 ....

In props.conf

[1.2.3.4]  
TRANSFORMS-null = setnull

In transforms.conf

[setnull]  
REGEX = (?i)command \\((?CMD.*)\\)   
DEST_KEY = queue  
FORMAT = nullQueue

This is so that it does not get indexed and add on to the license as the event is generating huge volume of logs. However I'm not able to filter off the event.

Appreciate any help for the regex?..thanks

updated:
I've also tried the following regex but doesn't work:
^.*CMD.*$

^(?=.*?\bCMD\b).*$

remy06 · ‎12-20-2010

In props.conf,we've moved the line TRANSFORMS-null=setnull to the stanza [syslog] instead, and it works..but it simply filters off all the events that has CMD regardless of host.

I've tried using the stanza [host::1.2.3.4] but it doesn't work.

I'm trying to filter off events that has CMD in it from the host 1.2.3.4.

ftk · ‎12-20-2010

If it works for [syslog], then just modify the regex to look for both CMD and src=1.2.3.4.

Ayn · ‎12-14-2010

First of all, are you sure that the stanza you defined in props.conf is applied to the data you want to filter? Is your sourcetype really "1.2.3.4"? If you want the stanza to be applied based on source host you should use [host::1.2.3.4] instead.

As for the regex, the first one in the updated section should work (though it probably catches stuff it shouldn't as well). Something like this should work if the events you want to filter always contain "command (CMD)": REGEX = command $CMD$

...or, if the first part is static but the actual command differs: REGEX = command $[^$]+\)

Need help on REGEX to filter off events

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!