https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232129#M45250 <P>Hula, you made me laugh this morning. "... a failure in REGEX or in Brain 1.0". Thank you for that.</P> <P>BTW, try <CODE>REGEX=POLLER</CODE></P> <P>I'm assuming that the word "POLLER" won't be found in any event you want to keep? Here's the regex101 you can use to confirm it works.</P> <P><A href="https://regex101.com/r/Dtydhe/1">https://regex101.com/r/Dtydhe/1</A></P> Wed, 18 Jan 2017 12:49:59 GMT Richfez 2017-01-18T12:49:59Z https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232128#M45249 <P>Hi,</P> <P>we try around with Splunk (first contact). We to prof what we can log from HDS Storages.</P> <P>System report via Port 11101 UDP:</P> <P>As an example what we dont need.<BR /> "Jan 18 11:44:23 SYSXX Jan 18 11:44:27 SVP Storage: CELFSS,1.1,410713,,2017-01-18T11:44:27.1+01:00,Storage,SVP,Authentication,Success,uid=lalalal({COMPONENT-POLLER}:DvM_Srv),R800:XXXXX,,SYSXX_Auditlog,,,,from=10.135.XXX.XXX,,,,384397,BasicLog,,,RMI AP,167,,[BASE],Logout,,Normal end,Seq.=0000384397"</P> <P>these messages are coming (varies) in 1-5 minutes with similia content. All what we get with "POLLER" shoudl be not sorted in...ist useless for us.</P> <P>Copy props.conf to *system/local and add at the end:<BR /> [source::udp:11101]<BR /> TRANSFORMS-null= setnull</P> <P>copy transforms and add at the end.<BR /> [setnull]<BR /> REGEX = [/<EM>POLLER</EM>]<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>But that did not work. All of the messages are coming in. I guess i made a failure in REGEX or in Brain 1.0...not sure. <BR /> where is my fault?</P> <P>regards</P> Tue, 29 Sep 2020 12:24:24 GMT https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232128#M45249 Hula 2020-09-29T12:24:24Z https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232129#M45250 <P>Hula, you made me laugh this morning. "... a failure in REGEX or in Brain 1.0". Thank you for that.</P> <P>BTW, try <CODE>REGEX=POLLER</CODE></P> <P>I'm assuming that the word "POLLER" won't be found in any event you want to keep? Here's the regex101 you can use to confirm it works.</P> <P><A href="https://regex101.com/r/Dtydhe/1">https://regex101.com/r/Dtydhe/1</A></P> Wed, 18 Jan 2017 12:49:59 GMT https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232129#M45250 Richfez 2017-01-18T12:49:59Z https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232130#M45251 <P>Will try this line.<BR /> REGEX = POLLER</P> <P>Thx...have to wait i little while. </P> Wed, 18 Jan 2017 13:00:34 GMT https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232130#M45251 Hula 2017-01-18T13:00:34Z https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232131#M45252 <P>Hmmm, did not work. Sry, im realy a beginner.</P> <PRE><CODE>[setnull] REGEX = POLLER DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Wed, 18 Jan 2017 13:22:00 GMT https://community.splunk.com/t5/Getting-Data-In/Try-to-use-transforms-conf/m-p/232131#M45252 Hula 2017-01-18T13:22:00Z