https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471155#M80997 <P>@to4kawa - Exactly I did the same thing as well. </P> <P>REGEX works fine in SETNULL but not in SETPARSING. <BR /> [setnull]<BR /> REGEX= .<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>[setparsing]<BR /> REGEX=yahoo.com<BR /> DEST_KEY=queue<BR /> FORMAT=indexQueue</P> <P>If I put REGEX of SETPARSING in SETNULL , it works well - which indicates its not a REGEX issue too. </P> <P>Any other insight ?</P> Mon, 13 Apr 2020 12:12:50 GMT rashi83 2020-04-13T12:12:50Z https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471152#M80994 <P>I am using SETNULL and SETPARSING to include and exclude log events. Here is the files - </P> <P>Props.conf<BR /> [OktaIM2:log]<BR /> TRANSFORMS-set= setnull,setparsing</P> <P>transforms.conf<BR /> [setnull]<BR /> REGEX=gmail.com<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>[setparsing]<BR /> REGEX=yahoo.com<BR /> DEST_KEY=queue<BR /> FORMAT=indexQueue</P> <P>SETNULL filter works well, but not SETPARSING one. I tried following - </P> <P>1) changed order to setparsing,setnull in props.conf<BR /> restarted splunk after making changes</P> <P>Any insights why INCLUDE filter is not working as expected ?</P> Fri, 10 Apr 2020 20:01:12 GMT https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471152#M80994 rashi83 2020-04-10T20:01:12Z https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471153#M80995 <P>Okay, so you are creating a field called <CODE>queue</CODE> that contains either the value <CODE>nullQueue</CODE>, the value <CODE>indexQueue</CODE>, or no value at all.</P> <P>First, if any part of the record matches the REGEX <CODE>gmail.com</CODE> (for instance <CODE>gmailxcom</CODE> and <CODE>gmail.com</CODE> match that regex) then the field will be assigned the value <CODE>nullQueue</CODE>.</P> <P>Then, if any part of the record matches the REGEX <CODE>yahoo.com</CODE> (for instance <CODE>yahoo9com</CODE> and <CODE>yahoo.com</CODE> match that regex) then the field will be assigned or changed to the value <CODE>indexQueue</CODE>.</P> <P>If no part matches either, then the field <CODE>queue</CODE> will not be created.</P> <P>So, when you say it is not working, are you saying that events which have the value <CODE>yahoo.com</CODE> in them are not being assigned a value for <CODE>queue</CODE>? </P> <P>And where and when are you validating that?</P> Fri, 10 Apr 2020 21:36:32 GMT https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471153#M80995 DalJeanis 2020-04-10T21:36:32Z https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471154#M80996 <P>see<BR /> <A href="https://www.coursehero.com/file/p7nhp2hf/When-you-set-the-setnull-transform-first-it-matches-all-events-and-tags-them-to/">https://www.coursehero.com/file/p7nhp2hf/When-you-set-the-setnull-transform-first-it-matches-all-events-and-tags-them-to/</A></P> Fri, 10 Apr 2020 21:38:25 GMT https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471154#M80996 to4kawa 2020-04-10T21:38:25Z https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471155#M80997 <P>@to4kawa - Exactly I did the same thing as well. </P> <P>REGEX works fine in SETNULL but not in SETPARSING. <BR /> [setnull]<BR /> REGEX= .<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>[setparsing]<BR /> REGEX=yahoo.com<BR /> DEST_KEY=queue<BR /> FORMAT=indexQueue</P> <P>If I put REGEX of SETPARSING in SETNULL , it works well - which indicates its not a REGEX issue too. </P> <P>Any other insight ?</P> Mon, 13 Apr 2020 12:12:50 GMT https://community.splunk.com/t5/Getting-Data-In/Setnull-and-Setparsing/m-p/471155#M80997 rashi83 2020-04-13T12:12:50Z