https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55328#M13509 <P>OK, thanks heaps for your help!</P> Wed, 09 Mar 2011 08:01:33 GMT Scarecrowddb 2011-03-09T08:01:33Z https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55326#M13507 <P>Hi All,</P> <P>I was wondering how you go about sending different criteria to the null que and whether the below would work?</P> <P>----tranforms.conf----</P> <P>[WindowsLogonEvent675]<BR /> REGEX = (?msi)EventCode=4624.<EM>Account Name:\s</EM>(-)<BR /> REGEX = (?msi)^EventCode=(632|4719|4728|4729|4670)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = forwardauqldrv00mgt1ai </P> <P>Or should the be done like below (with the same [xxxxx]?</P> <P>----tranforms.conf----</P> <P>[WindowsLogonEvent675]<BR /> REGEX = (?msi)EventCode=4624.<EM>Account Name:\s</EM>(-)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = forwardauqldrv00mgt1ai </P> <P>----tranforms.conf----</P> <P>[WindowsLogonEvent675]<BR /> REGEX = (?msi)^EventCode=(632|4719|4728|4729|4670)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = forwardauqldrv00mgt1ai </P> <P>Sorry for the vague question.... but I hope someone understands what I mean...</P> <P>Thanks</P> <P>David</P> Tue, 08 Mar 2011 05:53:54 GMT https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55326#M13507 Scarecrowddb 2011-03-08T05:53:54Z https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55327#M13508 <P>You cannot have multiple REGEX parameters in transforms.conf for the same stanza. You almost have it correct with breaking this into 2 transforms, but they need to have unique names. So here's how you would split into 2 and call them from props.conf</P> <P>-----props.conf-----</P> <P>[mysourcetype]<BR /> TRANSFORMS-foo = WindowsLogonEvent675_Part1, WindowsLogonEvent675_Part2</P> <P>-----transforms.conf-----</P> <P>WindowsLogonEvent675_Part1]<BR /> REGEX = (?msi)EventCode=4624.Account Name:\s(-)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = forwardauqldrv00mgt1ai</P> <P>[WindowsLogonEvent675_Part2]<BR /> REGEX = (?msi)^EventCode=(632|4719|4728|4729|4670)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = forwardauqldrv00mgt1ai</P> Tue, 08 Mar 2011 06:14:51 GMT https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55327#M13508 hulahoop 2011-03-08T06:14:51Z https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55328#M13509 <P>OK, thanks heaps for your help!</P> Wed, 09 Mar 2011 08:01:33 GMT https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55328#M13509 Scarecrowddb 2011-03-09T08:01:33Z https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55329#M13510 <P><A href="http://answers.splunk.com/answers/44245/regex-match-on-multiple-conditions-help.html">http://answers.splunk.com/answers/44245/regex-match-on-multiple-conditions-help.html</A></P> Tue, 14 Oct 2014 17:28:45 GMT https://community.splunk.com/t5/Splunk-Search/Have-Multiple-REGEX-in-Transforms/m-p/55329#M13510 the_wolverine 2014-10-14T17:28:45Z