https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558129#M158522 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;that's right: the first one should be excluded with nullQueue and the second one should be indexed.</P><P>The problem though is that all logs are excluded.</P> Tue, 06 Jul 2021 15:50:23 GMT martaBenedetti 2021-07-06T15:50:23Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558124#M158519 <P>Hi community,</P><P>I have the need to exclude AIX logs containing a certain field value.</P><P>This is the regex the parser is using to extract vendor_action filed:</P><P>&nbsp;</P><LI-CODE lang="markup">^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+(?&lt;pid&gt;\d+)\s+(?&lt;ppid&gt;\d+)\s+(?&lt;user&gt;\S+)\s+(?&lt;process&gt;\S+)\s+(?&lt;vendor_action&gt;\S+)\s+(?&lt;status&gt;\S+)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I'm trying to exclude events that contain vedor_action=FILE_Unlink and these are my conf file located on Heavy Forwarder:</P><P>props.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[aix:audit] TRANSFORMS-null= setnull</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>transforms.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[setnull] REGEX = ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+\d+\s+\d+\s+\S+\s+\S+\s+FILE_Unlink\s+\S+ DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>There are sample logs: the first one should be excluded while the second one no:</P><P>&nbsp;</P><LI-CODE lang="markup">Fri Jul 02 10:01:49 2021 34078844 8520050 dbloader rm FILE_Unlink OK Not supported filename /tmp/CSI_ODS_M_SIA__INFO_RILANCIO.txt Fri Jul 02 10:01:46 2021 34930828 4587668 root root lsvg FILE_Unlink OK filename /dev/__pv17.0.34930828</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>When I restart spunk all logs are excluded, so I think something is wrong with my REGEX even if on regex101 seems to work fine.</P><P>&nbsp;</P><P>Any ideas?</P><P>Thanks a lot</P><P>Marta</P> Fri, 02 Jul 2021 08:21:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558124#M158519 martaBenedetti 2021-07-02T08:21:45Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558128#M158521 <P>The first one has 2 words between the numbers and FILE_Unlink whereas the second one has 3 words - your regex only caters for the first case</P> Fri, 02 Jul 2021 09:17:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558128#M158521 ITWhisperer 2021-07-02T09:17:40Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558129#M158522 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;that's right: the first one should be excluded with nullQueue and the second one should be indexed.</P><P>The problem though is that all logs are excluded.</P> Tue, 06 Jul 2021 15:50:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558129#M158522 martaBenedetti 2021-07-06T15:50:23Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558443#M158634 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;Do you have suggestion on how to do so?</P><P>That is filter out the first kind of log?</P><P>&nbsp;</P><P>Thanks</P> Tue, 06 Jul 2021 15:49:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558443#M158634 martaBenedetti 2021-07-06T15:49:17Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558449#M158638 <P>I can't anything wrong with what you have posted. Which version of splunk are you using?</P> Tue, 06 Jul 2021 16:17:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558449#M158638 ITWhisperer 2021-07-06T16:17:33Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558510#M158653 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;on HFW there is Splunk Enterprise 7.1.3.</P><P>Thought you were thinking about something <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Thanks anyway!!</P> Wed, 07 Jul 2021 07:25:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-to-filter-out-logs/m-p/558510#M158653 martaBenedetti 2021-07-07T07:25:15Z