topic Re: regex help in Splunk Search

regex help

mcbradford — Mon, 28 Sep 2020 10:23:48 GMT

I need to filter out some events on the heavy forwarder. I know how to do this but I need some help with the regex.

If dstip=123.123.123.123 and dstport=514 and rule_name not ="this is my rule"

drop the events.

These are the events I want to see.......

Jan 31 04:09:39 gwz auditd: date="2012-01-31 09:09:39 +0000",fac=f_kernel_ipfilter,area=z_general_area,type=t_nettraffic,pri=p_major,hostname=abc.cbs.com,event="session end",app_risk=low,app_categories=infrastructure,netsessid=54c044f265c90,srcip=123.15.3.19,srcport=41868,srczone=internal,protocol=17,dstip=123.123.123.123,dstport=514,dstzone=dmz,bytes_written_to_client=0,bytes_written_to_server=136491133,rule_name="this is my rule",cache_hit=0,start_time="2012-01-30 09:02:08 +0000",application=Syslog

Re: regex help

Ayn — Mon, 06 Feb 2012 20:10:59 GMT

Well, what does the event you're trying to filter look like? The example you provided seems to refer just to field names, not to actual event text.

Re: regex help

jbsplunk — Mon, 06 Feb 2012 23:28:21 GMT

I did something similar for someone else on here today, and for you I think something like this would work:

 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = dstip=123.123.123.123,dstport=514,.+,rule_name="this is my rule"
 DEST_KEY = queue
 FORMAT = nullQueue