topic Re: Filter event data using conditional regex in Splunk Search https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356059#M105364 <P>what does the last point 'if "EventType":"Login" not equals to Login index those event' mean?</P> Sun, 24 Sep 2017 12:04:28 GMT Sukisen1981 2017-09-24T12:04:28Z Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356058#M105363 <P>HI All,</P> <P>Below is my raw event data . <BR /> {"FormatVersion":"1.1","StartTime":"2017-09-22T01:11:38.565Z","EndTime":"2017-09-22T01:11:39.468Z","EventType":"Login","Result":"Success","UserId":"dmorand","TerminalId":"172.16.3.85","SessionId":"RCIcAM1DxUYmG7WMDMkEuQXyGTpOqcBMtyrGOPpFUPU=","LoginUri":"/login-auth/saml","EventSource":"Platform","ServerHostname":"fe02.hbc.stage.us-west-2.orionsaas"}</P> <P>I want event indexing like below condition.<BR /> 1. IF "EventType":"Login" and "LoginUri":"/login-auth/saml" the index those event. means we need to discard those event in which event type = login and login uri != /login-auth/saml <BR /> 2. if "EventType":"Login" and "LoginUri" is not present then index those event<BR /> 3. If in logs event type not equal to login then index those events also</P> <P>please help for making this regex .</P> Sat, 23 Sep 2017 04:56:09 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356058#M105363 anshul0915 2017-09-23T04:56:09Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356059#M105364 <P>what does the last point 'if "EventType":"Login" not equals to Login index those event' mean?</P> Sun, 24 Sep 2017 12:04:28 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356059#M105364 Sukisen1981 2017-09-24T12:04:28Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356060#M105365 <P>If in logs event type not equal to login then index those events also</P> Sun, 24 Sep 2017 12:10:13 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356060#M105365 anshul0915 2017-09-24T12:10:13Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356061#M105366 <P>one last question - do you want to extract them in the conf files before getting indexed or you want to write a post search regex to extract ONLY these events using regex for this particular use case?</P> Sun, 24 Sep 2017 15:20:45 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356061#M105366 Sukisen1981 2017-09-24T15:20:45Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356062#M105367 <P>Want in conf file before getting indexed </P> Sun, 24 Sep 2017 15:44:14 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356062#M105367 anshul0915 2017-09-24T15:44:14Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356063#M105368 <P>Props.conf</P> <PRE><CODE> [sourcetypeName] KV_MODE=json INDEXED_EXTRACTIONS=true TRANSFORMS-toNull=toNull </CODE></PRE> <P>Transforms.conf</P> <PRE><CODE> [toNull] REGEX= .*^((?!EventType":"Login".*LoginUri":"\/login-auth\/saml).*) DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Sun, 24 Sep 2017 16:54:07 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356063#M105368 jkat54 2017-09-24T16:54:07Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356064#M105369 <P>Needs to be on the forwarder(s) and indexer(s). Will only apply to new data that is indexed after the settings are in placeZ </P> Sun, 24 Sep 2017 17:09:12 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356064#M105369 jkat54 2017-09-24T17:09:12Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356065#M105370 <P>Why on both places configuration required . On only indexer will it not work??</P> Sun, 24 Sep 2017 17:41:49 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356065#M105370 anshul0915 2017-09-24T17:41:49Z Re: Filter event data using conditional regex https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356066#M105371 <P>INDEXED_EXTRACTIONS has to be on the forwarder. The queue routing happens on first full Splunk instance (heavy forwarder or indexer).</P> Mon, 25 Sep 2017 18:26:10 GMT https://community.splunk.com/t5/Splunk-Search/Filter-event-data-using-conditional-regex/m-p/356066#M105371 jkat54 2017-09-25T18:26:10Z