https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59507#M14661 <P>The problem lies in how you name/define the transform. In <CODE>props.conf</CODE>, you call for two transforms to take place. But these are not found in <CODE>transforms.conf</CODE>. Also, for wineventlogs, you do not need to do <CODE>source::</CODE> in props.</P> <P>And you don't need the <CODE>setparsing</CODE> transform either. From the example in the docs, that is used when you want discard all events (to the nullQueue), and then change back to the parsingQueue for those events that match the regex.</P> <P>Try this instead.</P> <P>props.conf</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set=setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX = (?m)EventCode=5156 DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Hope this helps,</P> <P>K</P> Tue, 11 Jun 2013 11:46:37 GMT kristian_kolb 2013-06-11T11:46:37Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59505#M14659 <P>So I'm attempting to drop events from the windows security logs at the indexer so I've created a props.conf that is this:</P> <P><CODE><BR /> [source::WinEventLog:Security]<BR /> TRANSFORMS-set=setnull, setparsing<BR /> </CODE><BR /> and my transforms.conf is:</P> <P><CODE></CODE></P> <H1>Exclude windows events</H1> <P>[WinEventLog:Security]<BR /> REGEX = (?m) EventCode=(5156).<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue<BR /> </P> <P>So I'm a Splunk newbie and have struggled/searched/restarted my test instance countless times with still no success. These conf files are in the /opt/splunk/etc/system/local/ and I've yet to even get one event to hit the null queue??? Help!!! thanks in advance</P> Tue, 11 Jun 2013 11:11:36 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59505#M14659 cdupuis123 2013-06-11T11:11:36Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59506#M14660 <P>Hello</P> <P>EDITED:</P> <P>Follow Kristian answer...</P> <P>Regards</P> Tue, 11 Jun 2013 11:35:56 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59506#M14660 gfuente 2013-06-11T11:35:56Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59507#M14661 <P>The problem lies in how you name/define the transform. In <CODE>props.conf</CODE>, you call for two transforms to take place. But these are not found in <CODE>transforms.conf</CODE>. Also, for wineventlogs, you do not need to do <CODE>source::</CODE> in props.</P> <P>And you don't need the <CODE>setparsing</CODE> transform either. From the example in the docs, that is used when you want discard all events (to the nullQueue), and then change back to the parsingQueue for those events that match the regex.</P> <P>Try this instead.</P> <P>props.conf</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set=setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX = (?m)EventCode=5156 DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Hope this helps,</P> <P>K</P> Tue, 11 Jun 2013 11:46:37 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59507#M14661 kristian_kolb 2013-06-11T11:46:37Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59508#M14662 <P>Awesome, thanks Kristian</P> <P>Now to add other events I just | them correct?</P> Tue, 11 Jun 2013 12:10:45 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59508#M14662 cdupuis123 2013-06-11T12:10:45Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59509#M14663 <P>Awesome, thanks Kristian</P> Tue, 11 Jun 2013 12:29:43 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59509#M14663 cdupuis123 2013-06-11T12:29:43Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59510#M14664 <P>Yes. (5125|4267|1337) etc</P> <P>I don't know if there is a risk that you'll match 5-digit EventCodes by accident, i.e. 1234 could also match 12345 Might want to add <CODE>\b</CODE> at the end of your string.</P> <P><CODE>REGEX=(?m)EventCode=(1234|3456|6789)\b</CODE></P> Tue, 11 Jun 2013 14:04:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59510#M14664 kristian_kolb 2013-06-11T14:04:25Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59511#M14665 <P>Any idea why this stopped working? Where do I start troubleshooting?</P> Thu, 11 Jul 2013 15:49:05 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59511#M14665 cdupuis123 2013-07-11T15:49:05Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59512#M14666 <P>Would this need to go on a indexer or search head in a cluster? Does the dropped data count toward license?</P> Fri, 12 Jul 2013 00:36:15 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59512#M14666 adrianathome 2013-07-12T00:36:15Z https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59513#M14667 <P>This operation takes place during the parsing phase. So the configuration must be on the first of the following in your chain from source log to indexed data; a Heavy Forwarder or an Indexer. See the following page;</P> <P><A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings</A></P> <P>No, dropped data does not count towards the license.</P> Fri, 12 Jul 2013 12:42:58 GMT https://community.splunk.com/t5/Splunk-Search/Regex-is-kicking-my-butt/m-p/59513#M14667 kristian_kolb 2013-07-12T12:42:58Z