Re: Regex to log will not contain anything

jrodriguezap · ‎08-21-2013

Hello.
Appreciate your support, in the file transforms.conf REGEX try to make a log of all without "webfilter" and sent to nullQueue.
I tried to do something like this
[discard]
REGEX=!webfilter
DEST_KEY=queue
FORMAT=nullQueue

but it was not, then I tried:
[discard]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[maintain]
REGEX=webfilter
DEST_KEY=queue
FORMAT=indexQueue

But neither worked.
what would be the correct syntax for this case?
Thanks in advance

lukejadamec · ‎08-21-2013

Try this. I'm only guessing at the regex because you have not posted an example of your event.

In Props.conf

[host::10.10.0.5]

TRANSFORMS-FORTIGATE=discard,maintain

In Transforms.conf
[discard]

REGEX=.

DEST_KEY=queue

FORMAT=nullQueue

[maintain]

REGEX=webfilter

DEST_KEY=queue

FORMAT=indexQueue

kristian_kolb · ‎08-21-2013

Then you should add an extra stanza in transforms.conf;

[null_dns_ssl] REGEX = app=\"(DNS|SSL)\" DEST_KEY = queue FORMAT = nullQueue

And call it from props.conf like this (order is important)

TRANSFORMS-FORTIGATE = discard, maintain, null_dns_ssl

/K

jrodriguezap · ‎08-21-2013

Ah ok, if so that's fine, so far I agree with Splunk.
Rather, now that I'm reviewing the result of the filter we did, there are some log that I would not be lost, and are those that do not contain the following: app="DNS" or app="SSL"
I tried to do like this: REGEX=webfilter|app=(?!"DNS|SSL]")
But it is showing me logs with app="DNS" or app="SSL"
I could be wrong?

lukejadamec · ‎08-21-2013

The solution I posted is the documented solution. How about we get it working first, and then optimize.

jrodriguezap · ‎08-21-2013

Hello, thanks. The detail was separated with, aliases: TRANSFORMS-FORTIGATE = discard, Maintain
But tell me, the double REGEX would not do it with less optimal one, and the idea of lguinn? Maybe save some resources, right?

lguinn2 · ‎08-21-2013

I think that the problem was the regular expression. This one is more complicated, but I think it will actually work. The other one was wrong.

In transforms.conf

[discard]
REGEX=(?i)(?!.*?webfilter) 
DEST_KEY=queue
FORMAT=nullQueue

In props.conf

[host::10.10.0.5]
TRANSFORMS-FORTIGATE_discard=discard

Note that in your comment, you have two transforms that start with TRANSFORMS-FORTIGATE and these should be unique. For example TRANSFORMS-FORTIGATE1 and TRANSFORMS-FORTIGATE2. I renamed my stanza above to make sure it was unique.

jrodriguezap · ‎08-21-2013

Hi, thanks for your reply, I find interesting the syntax, but here now this filters all log me, and does not pass any 😞

jrodriguezap · ‎08-21-2013

Hello, you will know what can be the problem?

jrodriguezap · ‎08-21-2013

Hi, I have the following:
[host::10.10.0.5]
TRANSFORMS-FORTIGATE=discard
TRANSFORMS-FORTIGATE=maintain

I just want to keep the log that have "Webfilter"

lukejadamec · ‎08-21-2013

What do you have in the corresponding props.conf?
Also, an example of the event that contains "webfilter" would be handy.

Regex to log will not contain anything

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...