https://community.splunk.com/t5/Getting-Data-In/What-is-the-regular-expression-for-these-Event-ID-codes/m-p/237135#M46063 <P>1100,1101,1102,1104,1105,1108<BR /> 4624-4627,4634,4646-4668,4670-4672,4675,4690-4691,4698-4702,4704-4707,4709-4720,4722-4735,4737-4794,4797-4803<BR /> 4817-4820,4865-4900,4902,4904-4908,4911-4913,4928-4937,4944-4952,4954,4956-4958,4964,4976,4985<BR /> 5031,5063-5070,5120,5136-5145,5148-5159,5168,5376-5377,5440-5444,5446-5453,5456-5468,5471-5474,5477,5632-5633,5888-5889<BR /> 6144-6145,6272-6280</P> <P>This are the list of event codes data i want to send to splunk cloud and for which i need regular expressions.</P> <P>please help me in creating regular expressions... help will appreciated...</P> Thu, 12 Jan 2017 17:31:21 GMT chanamoluk 2017-01-12T17:31:21Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-regular-expression-for-these-Event-ID-codes/m-p/237133#M46061 <P>Client needs to push these event codes through <STRONG>Heavy Forwarder</STRONG> to Splunk Cloud.<BR /> So please help in creating REGEX for filtering the below Event ID's in <STRONG>transforms.conf</STRONG> and <STRONG>props.conf</STRONG><BR /> <STRONG>transforms.conf</STRONG></P> <PRE><CODE>1100,1101,1102,1104,1105,1108 4624-4627,4634,4646-4668,4670-4672,4675,4690-4691,4698-4702,4704-4707,4709-4720,4722-4735,4737-4794,4797-4803 </CODE></PRE> Thu, 12 Jan 2017 16:21:52 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-regular-expression-for-these-Event-ID-codes/m-p/237133#M46061 chanamoluk 2017-01-12T16:21:52Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-regular-expression-for-these-Event-ID-codes/m-p/237134#M46062 <P>Hi chanamoluk, </P> <P>The IDs you provided are just samples - a small subset of all the event IDs with the same patterns you want to capture, right? <BR /> If so, I think there are two primary patterns: /d{4} and /d{4}-/d{4}. </P> <P>You can then filter out events with these IDs using the following example stanzas - just for your reference. </P> <P>props.conf</P> <PRE><CODE>[EventLog:System] TRANSFORMS = null_queue_filter </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[null_queue_filter] REGEX = (?m)^EventID=(/d{4}|/d{4}-/d{4}) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Hope this helps. Thanks!<BR /> Hunter</P> Thu, 12 Jan 2017 17:14:26 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-regular-expression-for-these-Event-ID-codes/m-p/237134#M46062 hunters_splunk 2017-01-12T17:14:26Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-regular-expression-for-these-Event-ID-codes/m-p/237135#M46063 <P>1100,1101,1102,1104,1105,1108<BR /> 4624-4627,4634,4646-4668,4670-4672,4675,4690-4691,4698-4702,4704-4707,4709-4720,4722-4735,4737-4794,4797-4803<BR /> 4817-4820,4865-4900,4902,4904-4908,4911-4913,4928-4937,4944-4952,4954,4956-4958,4964,4976,4985<BR /> 5031,5063-5070,5120,5136-5145,5148-5159,5168,5376-5377,5440-5444,5446-5453,5456-5468,5471-5474,5477,5632-5633,5888-5889<BR /> 6144-6145,6272-6280</P> <P>This are the list of event codes data i want to send to splunk cloud and for which i need regular expressions.</P> <P>please help me in creating regular expressions... help will appreciated...</P> Thu, 12 Jan 2017 17:31:21 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-regular-expression-for-these-Event-ID-codes/m-p/237135#M46063 chanamoluk 2017-01-12T17:31:21Z