https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470926#M132480 <P>I changed the regex and followed gcusello's advice, this worked like a charm (use the same regex for field extrations) :</P> <P>:: props.conf ::</P> <PRE><CODE>[c-icap] DATETIME_CONFIG = NO_BINARY_CHECK = true category = Custom description = squiclamav disabled = false pulldown_type = true TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P>:: Transforms.conf ::</P> <PRE><CODE>[setparsing] REGEX=(.*Location.*http:\/\/example\.com\/cgi-bin\/clwarn\.cgi\?url=(?P&lt;url&gt;.*)\?X-Amz-Algorithm.*source=(?P&lt;src_ip&gt;[0-9\.]*).*stream:\s(?P&lt;threat_name&gt;[a-zA-Z0-9\-._]+).*) DEST_KEY=queue FORMAT=indexQueue </CODE></PRE> Thu, 04 Jun 2020 11:58:12 GMT williamhardykim 2020-06-04T11:58:12Z https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470922#M132476 <P>I am unable to whitelist input, I do not understand why, my Splunk is ingesting data from a c-icap server logfile and I only want to keep these logs (the ones with Anti-Virus Hit's), here is my inputs.conf file:</P> <PRE><CODE>[monitor:///var/log/c-icap/server.log] disabled = false sourcetype = c-icap whitelist= Message = ".*DEBUG.*Clamd.*FOUND.*" </CODE></PRE> <P>This is the type of log I want to allow into Splunk, my regex works fine, I have tested it, it is unclear what key/field name I should be using, I also tried "Event" instead of "Message" without success:</P> <PRE><CODE>Wed Jun 3 17:04:06 2020, 24488/1744570112, squidclamav.c(861) squidclamav_end_of_data_handler: Wed Jun 3 17:04:06 2020, 24488/1744570112, DEBUG received from Clamd: stream: Win.Trojan.Powershell-7007230-0 FOUND </CODE></PRE> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9029iCC3C5453644A8702/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>PS: I am using the free version of Splunk.</P> Mon, 08 Jun 2020 17:55:39 GMT https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470922#M132476 williamhardykim 2020-06-08T17:55:39Z https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470923#M132477 <P>Hi @williamhardykimber,<BR /> as you can read at <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A> , the whitelist option permits to filter the filenames to input not to filter the events and anyway it takes only regexes not strings like your.</P> <P>In Splunk it's possible to filter events on Indexers or (when present) on Heavy Forwarders, not on Universal Forwarders, with the only exception of Windows EventLogs.</P> <P>So if you want to filter events you have to follow instructions at <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A> .</P> <P>Ciao.<BR /> Giuseppe</P> Thu, 04 Jun 2020 06:55:45 GMT https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470923#M132477 gcusello 2020-06-04T06:55:45Z https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470924#M132478 <P>Interesting, something like this ?</P> <PRE><CODE>Edit props.conf and add the following: [c-icap] TRANSFORMS-icap=icapnull Edit transforms.conf and add the following: [icapnull] REGEX=(.*DEBUG.*Clamd.*FOUND.*) DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Thu, 04 Jun 2020 07:56:22 GMT https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470924#M132478 williamhardykim 2020-06-04T07:56:22Z https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470925#M132479 <P>Hi @williamhardykimber,<BR /> yes, you can check the regex also in Splunk using the regex command</P> <PRE><CODE>your search | regex ".*DEBUG.*Clamd.*FOUND.*" </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Thu, 04 Jun 2020 11:22:48 GMT https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470925#M132479 gcusello 2020-06-04T11:22:48Z https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470926#M132480 <P>I changed the regex and followed gcusello's advice, this worked like a charm (use the same regex for field extrations) :</P> <P>:: props.conf ::</P> <PRE><CODE>[c-icap] DATETIME_CONFIG = NO_BINARY_CHECK = true category = Custom description = squiclamav disabled = false pulldown_type = true TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P>:: Transforms.conf ::</P> <PRE><CODE>[setparsing] REGEX=(.*Location.*http:\/\/example\.com\/cgi-bin\/clwarn\.cgi\?url=(?P&lt;url&gt;.*)\?X-Amz-Algorithm.*source=(?P&lt;src_ip&gt;[0-9\.]*).*stream:\s(?P&lt;threat_name&gt;[a-zA-Z0-9\-._]+).*) DEST_KEY=queue FORMAT=indexQueue </CODE></PRE> Thu, 04 Jun 2020 11:58:12 GMT https://community.splunk.com/t5/Splunk-Search/inputs-conf-whitelist-regex-issue-on-message-field/m-p/470926#M132480 williamhardykim 2020-06-04T11:58:12Z