https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574738#M10700 <P>Again, to properly diagnose a regex problem we need to see the events that are to be matched.&nbsp; Not just a tiny snippet, either.&nbsp; Feel free to anonymize sensitive data.</P><P>Have you tested your regular expressions on a site like regex101.com?</P> Fri, 12 Nov 2021 13:16:19 GMT richgalloway 2021-11-12T13:16:19Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574388#M10657 <OL><LI><DIV class="">In props.conf, set the TRANSFORMS-null attribute:<PRE>[ActiveDirectory] TRANSFORMS-null= setnull</PRE></DIV></LI><LI><DIV class="">Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":<PRE>[setnull] REGEX = \[<SPAN class="">ms_Mcs_</SPAN><SPAN class="">AdmPwdExpirationTime</SPAN>\] DEST_KEY = queue FORMAT = nullQueue</PRE></DIV></LI><LI><DIV class="">Restart Splunk Enterprise.<BR /><BR />field =&nbsp;<SPAN class="">ms_Mcs_</SPAN><SPAN class="">AdmPwdExpirationTime</SPAN><BR /><SPAN>the values ​​are still in the index</SPAN><BR />Not working. &nbsp;what did I indicate wrong?</DIV></LI></OL> Wed, 10 Nov 2021 11:13:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574388#M10657 gitingua 2021-11-10T11:13:04Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574403#M10660 <P>There likely is an error in the regex, but to know that for sure we'll need to see some example data.</P> Wed, 10 Nov 2021 13:25:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574403#M10660 richgalloway 2021-11-10T13:25:18Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574498#M10672 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>example</P><P>2Wc23q</P><P>C23gAwe3</P> Wed, 10 Nov 2021 21:21:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574498#M10672 gitingua 2021-11-10T21:21:32Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574573#M10683 <P>There's the problem.&nbsp; The example data does not match the regex since none of them contain the string "ms_Mcs_AdmPwdExpirationTime".&nbsp; You'll have to find a regular expression that matches all expected strings you wish to send to the null queue.</P> Thu, 11 Nov 2021 13:40:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574573#M10683 richgalloway 2021-11-11T13:40:16Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574576#M10684 <P><SPAN>I was wrong. given string. "ms_Mcs_AdmPwd"&nbsp;there are random symbols of the unit and letters</SPAN></P><P><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</SPAN></P> Thu, 11 Nov 2021 13:49:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574576#M10684 gitingua 2021-11-11T13:49:24Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574678#M10695 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P><SPAN>props.conf</SPAN></P><P><SPAN>[</SPAN><SPAN>Active</SPAN><SPAN>Directory]</SPAN></P><P><SPAN>TRANSFORMS-null = setnull</SPAN></P><P>&nbsp;</P><P><SPAN>transforms.conf</SPAN></P><P><SPAN>[setnull]</SPAN></P><P><SPAN>REGEX = ms-Mcs-AdmPwd\s*=(.*)</SPAN></P><P><SPAN>DEST_KEY = queue</SPAN></P><P><SPAN>FORMAT = nullQueue</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>not working</SPAN></P> Fri, 12 Nov 2021 01:12:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574678#M10695 gitingua 2021-11-12T01:12:04Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574738#M10700 <P>Again, to properly diagnose a regex problem we need to see the events that are to be matched.&nbsp; Not just a tiny snippet, either.&nbsp; Feel free to anonymize sensitive data.</P><P>Have you tested your regular expressions on a site like regex101.com?</P> Fri, 12 Nov 2021 13:16:19 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574738#M10700 richgalloway 2021-11-12T13:16:19Z https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574743#M10701 <P>&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Снимок экрана 2021-11-12 в 17.21.43.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16838i7E447E31A086802B/image-size/medium?v=v2&amp;px=400" role="button" title="Снимок экрана 2021-11-12 в 17.21.43.png" alt="Снимок экрана 2021-11-12 в 17.21.43.png" /></span></P><P>&nbsp;</P><P>yes. check in regex101. enable.&nbsp;</P><P>tried different regex methods working. now standing which is in the picture above</P> Fri, 12 Nov 2021 14:24:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/TRANSFORMS-null-setnull/m-p/574743#M10701 gitingua 2021-11-12T14:24:10Z