https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405012#M167953 <P>Hi there,</P> <P>the regex works fine. Here are a few things to check:</P> <UL> <LI>Did you apply the props.conf / transforms.conf on the parsing instance (the first full Splunk instance that receives the events)?</LI> <LI>Did you restart that Splunk instance after you applied the props/transforms?</LI> <LI>no typo in the sourcetype name?</LI> <LI>maybe use <CODE>TRANSFORMS-nullQueue-tcpdenied307-firefox = tcpdenied307-firefox</CODE> just to make sure the <CODE>&lt;class&gt;</CODE> is uniq.</LI> <LI>it only applies to new data coming in, not historical data</LI> </UL> <P>cheers, MuS</P> Thu, 09 Aug 2018 21:58:45 GMT MuS 2018-08-09T21:58:45Z https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405011#M167952 <P>Raw Cisco WSA squid event: </P> <P>1533849492.277 0 192.168.1.11 TCP_DENIED/307 0 GET <A href="http://detectportal.firefox.com/success.txt" target="_blank">http://detectportal.firefox.com/success.txt</A> - NONE/- - OTHER-NONE-AuthenticatedUsers-NONE-NONE-NONE-NONE &lt;-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"&gt; -</P> <P><STRONG>props.conf</STRONG></P> <P>[cisco:wsa:squid]<BR /> TRANSFORMS-null = tcpdenied307-firefox</P> <P><STRONG>transforms.conf</STRONG></P> <P>[tcpdenied307-firefox]<BR /> REGEX = .+(TCP_DENIED).+(307).+(detectportal.firefox.com).+<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>Any ideas why my REGEX doesn't work?</P> Tue, 29 Sep 2020 20:53:29 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405011#M167952 moey 2020-09-29T20:53:29Z https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405012#M167953 <P>Hi there,</P> <P>the regex works fine. Here are a few things to check:</P> <UL> <LI>Did you apply the props.conf / transforms.conf on the parsing instance (the first full Splunk instance that receives the events)?</LI> <LI>Did you restart that Splunk instance after you applied the props/transforms?</LI> <LI>no typo in the sourcetype name?</LI> <LI>maybe use <CODE>TRANSFORMS-nullQueue-tcpdenied307-firefox = tcpdenied307-firefox</CODE> just to make sure the <CODE>&lt;class&gt;</CODE> is uniq.</LI> <LI>it only applies to new data coming in, not historical data</LI> </UL> <P>cheers, MuS</P> Thu, 09 Aug 2018 21:58:45 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405012#M167953 MuS 2018-08-09T21:58:45Z https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405013#M167954 <P>Hi,</P> <OL> <LI>Yes, I deployed the props and transforms from my master node to my indexers and I can see them.</LI> <LI>According to the bundle distribution, I don't need to Splunk indexers.</LI> <LI>no typo, we've had successfully filter out unwanted events in the past similar to what I'm trying to do right now</LI> <LI>let me try that and see if it makes a difference</LI> <LI>yes, i'm still seeing in the new incoming data and it's weird that it's not working. we've done it before.</LI> </OL> <P>Thanks.</P> Thu, 09 Aug 2018 22:07:01 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405013#M167954 moey 2018-08-09T22:07:01Z https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405014#M167955 <P>@moey check file permissions on props.conf and transforms.conf. It should be read only. You can compare file permission with other similar configurations.</P> Fri, 10 Aug 2018 02:30:51 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Filtering-out-unwanted-events-doesn-t-work/m-p/405014#M167955 niketn 2018-08-10T02:30:51Z