topic Re: transforms.conf returning events that match REGEX value as value of FORMAT key in Getting Data In https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294613#M55978 <P>A capturing group is basically within <CODE>( )</CODE> have a read here <A href="https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html">https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html</A> where I used two capturing groups <CODE>$1</CODE> and <CODE>$2</CODE> both were created using this regex <CODE>([a-z]+)=([a-z]+)</CODE>. </P> <P>Also starting a regex with <CODE>.*</CODE> is .... let's call suboptimal because it matches everything. I would optimise the nullQueue regex to match the things you don't want and skip the <CODE>[passthru]</CODE> completely <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>cheers, MuS</P> Thu, 12 Oct 2017 00:31:04 GMT MuS 2017-10-12T00:31:04Z transforms.conf returning events that match REGEX value as value of FORMAT key https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294609#M55974 <P>I am trying to build a filter so I only index events that match this regex: </P> <PRE><CODE>.*[%].* </CODE></PRE> <P>I asked a <A href="https://answers.splunk.com/answers/578692/using-the-transformsconf-file-to-only-forward-even-1.html#comment-578697">question previously that was answered</A> </P> <P>I was able to change the data coming into my system using this transform: </P> <PRE><CODE>[filter-debug] REGEX=.*[%].* DEST_KEY = _raw FORMAT = $1 </CODE></PRE> <P>The problem I am experiencing is that anything matching my REGEX has it's _raw replaced with whatever I set the FORMAT to be. So in the example above all of my events matching my regex would return a literal "$1" as their event data. This was the case no matter what I put into FORMAT and I can't get rid of FORMAT because it just defaults to </P> <PRE><CODE>[filter-debug]::$ </CODE></PRE> <P>And so then that's what all my events look like. Thoughts?</P> Wed, 11 Oct 2017 23:05:10 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294609#M55974 JordanPeterson 2017-10-11T23:05:10Z Re: transforms.conf returning events that match REGEX value as value of FORMAT key https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294610#M55975 <P>Usually <CODE>$1</CODE> refers to the first capturing group, but I don't see a capturing group in your regex?</P> Wed, 11 Oct 2017 23:11:07 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294610#M55975 MuS 2017-10-11T23:11:07Z Re: transforms.conf returning events that match REGEX value as value of FORMAT key https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294611#M55976 <P>I believe I figured it out. My new transforms.conf looks like this: </P> <PRE><CODE># drop everything that doesn't match [passthru] [drop-debug] REGEX =.* DEST_KEY = queue FORMAT = nullQueue # send everything else on to the indexer [passthru] REGEX=.*[%].* DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>I think my previous problem was trying to send to _raw after sending to indexQueue didn't work. </P> Wed, 11 Oct 2017 23:13:06 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294611#M55976 JordanPeterson 2017-10-11T23:13:06Z Re: transforms.conf returning events that match REGEX value as value of FORMAT key https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294612#M55977 <P>Could you clarify what a capturing group is? If I just wrapped my regex in a couple parans would that make it a capturing group? </P> Wed, 11 Oct 2017 23:34:55 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294612#M55977 JordanPeterson 2017-10-11T23:34:55Z Re: transforms.conf returning events that match REGEX value as value of FORMAT key https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294613#M55978 <P>A capturing group is basically within <CODE>( )</CODE> have a read here <A href="https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html">https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html</A> where I used two capturing groups <CODE>$1</CODE> and <CODE>$2</CODE> both were created using this regex <CODE>([a-z]+)=([a-z]+)</CODE>. </P> <P>Also starting a regex with <CODE>.*</CODE> is .... let's call suboptimal because it matches everything. I would optimise the nullQueue regex to match the things you don't want and skip the <CODE>[passthru]</CODE> completely <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>cheers, MuS</P> Thu, 12 Oct 2017 00:31:04 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-returning-events-that-match-REGEX-value-as-value/m-p/294613#M55978 MuS 2017-10-12T00:31:04Z