I am new to both Splunk and REGEX. I am trying to filter out syslog data from a single src address.
I have the following in my Transforms.conf
[setnull]
REGEX = \[src=172.23.8.50\]
DEST_KEY = queue
FORMAT = nullQueue
My data looks like this:
Oct 8 13:08:46 10.103.236.21 SSG550: NetScreen device_id=SSG550 [Root]system-notification-00257(traffic): start_time="2010-10-08 13:08:46" duration=0 policy_id=225 service=tcp/port:7777 proto=6 src zone=DMZ-8 dst zone=WAN action=Permit sent=0 rcvd=0 src=172.23.8.50 dst=172.20.15.22 src_port=15120 dst_port=7777 src-xlated ip=172.23.8.50 port=15120 dst-xlated ip=172.20.15.22 port=7777 session_id=250914
Isn't there some way I can select these records based on the field "src"? If not, can someone tell me why my regex above is not working.
Thanks again for helping a newbee out.
If it helps at all, I found this video which explains adding lines to props.conf and transforms.conf (towards the end, first half or so is about the rex search command).
http://blogs.splunk.com/2008/10/22/all-my-regexs-live-in-texas/
I'm not sure your regex syntax is correct. The "[" and "]" are special chars. You might try something like this:
[setnull]
REGEX=src=172\.23\.8\.50
DEST_KEY=queue
FORMAT=nullQueue
Also you need to refer to this transforms.conf entry from somewhere inside of props.conf. Something like:
[mysourcetype]
TRANSFORMS-routing=setnull
There's good examples of this at:
http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata