https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757635#M120168 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;,</P><P>as also&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;said, it's mandatory to have a sample of your logs to check your regex, even if it's very simple.</P><P>One additional question: what's the flow of your data?</P><P>To correctly work this transformation must be located in the first full Splunk instance where logs pass through, in other words in the first Heavy Forwarder.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 24 Jan 2026 06:36:53 GMT gcusello 2026-01-24T06:36:53Z https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757623#M120162 <P>I have this "innocent" regex to send to the nullQueue in transforms.conf, and it doesn't work. I'm scratching my head for two days, what can this be?</P><P><SPAN class="">REGEX</SPAN> = \} OnChange</P> Fri, 23 Jan 2026 23:03:19 GMT https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757623#M120162 danielbb 2026-01-23T23:03:19Z https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757627#M120165 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;</P><P>Are you able to post a sample of the event you are working with and also how you are calling the REGEX/transform?</P><P>Does this make any difference?</P><LI-CODE lang="markup">REGEX = \}\sOnChange</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Fri, 23 Jan 2026 19:44:11 GMT https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757627#M120165 livehybrid 2026-01-23T19:44:11Z https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757635#M120168 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;,</P><P>as also&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;said, it's mandatory to have a sample of your logs to check your regex, even if it's very simple.</P><P>One additional question: what's the flow of your data?</P><P>To correctly work this transformation must be located in the first full Splunk instance where logs pass through, in other words in the first Heavy Forwarder.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 24 Jan 2026 06:36:53 GMT https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757635#M120168 gcusello 2026-01-24T06:36:53Z https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757665#M120172 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;,</P><P>Thank you for the great response.<BR /><BR />It seemed to have been a simple typo on my side.</P><P>Do you know how I could rework this REGEX to work for multiple phrases (about 50 or so)?</P><P>Is it best practice to do it all in one REGEX statement or split it into multiple transforms.conf stanzas?</P> Mon, 26 Jan 2026 15:58:40 GMT https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757665#M120172 danielbb 2026-01-26T15:58:40Z https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757671#M120174 <P>Well, performance-wise one transform with a <EM>well-crafted</EM> regex should be faster than several dozens of separate ones. The question is whether you'll need to maintain that later because a single humongous regex can be very confusing and prone to errors on edit.</P> Mon, 26 Jan 2026 18:24:12 GMT https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757671#M120174 PickleRick 2026-01-26T18:24:12Z https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757774#M120183 <P>That sounds great,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;how long can the REGEX string be? and is there any way to "beautify" it instead of using constant pipes "|" so it's more readable?</P> Thu, 29 Jan 2026 17:35:02 GMT https://community.splunk.com/t5/Getting-Data-In/What-s-wrong-with-this-REGEX/m-p/757774#M120183 danielbb 2026-01-29T17:35:02Z