https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513719#M144165 <P>Can anyone help on my request..</P> Wed, 12 Aug 2020 14:40:07 GMT anandhalagaras1 2020-08-12T14:40:07Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513694#M144155 <P>Hi All,</P><P>We are planning to ingest the SQL login success and failure logs into Splunk. So&nbsp; in the logs there are lot of events but we want to ingest only the "Login succeeded for user" and&nbsp;"Login failed for user" information alone. So kindly help to provide the regex for the same.</P><P>Sample events looks like below:</P><P>2020-08-10 06:00:00.89 Logon Login succeeded for user 'ad\SQL_abcde123'. Connection made using Windows authentication. [CLIENT: &lt;local machine&gt;]<BR />2020-08-10 06:00:01.59 Logon Login succeeded for user 'xyz'. Connection made using SQL Server authentication. [CLIENT: xxx.xxx.xxx.xxx]<BR />2019-08-10 05:00:01.59 Logon Login failed for user ''. Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only. [CLIENT: xxx.xxx.xx.xxx]</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 12 Aug 2020 11:36:35 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513694#M144155 anandhalagaras1 2020-08-12T11:36:35Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513695#M144156 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Whitelistorblacklistspecificincomingdata" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Whitelistorblacklistspecificincomingdata</A><BR /><BR />[yours]</P><P>whitelist = (<SPAN>succeeded|failed) for user</SPAN></P> Wed, 12 Aug 2020 11:41:27 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513695#M144156 to4kawa 2020-08-12T11:41:27Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513697#M144157 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for your swift response. So i need to write in props.conf (or) should i need to include the same in inputs.conf along with index and sourcetype information.</P><P>Or Whether do we need to have both props and transforms in place as well?</P> Wed, 12 Aug 2020 11:46:49 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513697#M144157 anandhalagaras1 2020-08-12T11:46:49Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513716#M144163 <P>Hi&nbsp;</P><P>Have mentioned in the input.conf and ingested the logs into Splunk. But still i can see other events also getting ingested as well. I just want to see the succeeded and failed events alone. so let me know how to fix it.</P><P>&nbsp;</P><P>[monitor://D:\Server Location]<BR />whitelist = (succeeded|failed) for user<BR />sourcetype = xyz<BR />index = abc<BR />crcSalt = &lt;SOURCE&gt;<BR />disabled = 0</P><P>&nbsp;</P><P>So kindly help on this request.</P> Wed, 12 Aug 2020 13:42:14 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513716#M144163 anandhalagaras1 2020-08-12T13:42:14Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513719#M144165 <P>Can anyone help on my request..</P> Wed, 12 Aug 2020 14:40:07 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513719#M144165 anandhalagaras1 2020-08-12T14:40:07Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513747#M144177 <P>Can anyone help&nbsp;</P> Wed, 12 Aug 2020 16:23:30 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Required/m-p/513747#M144177 anandhalagaras1 2020-08-12T16:23:30Z