https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572530#M199542 <P>in the end i think i made a simple mistake of naming my stanza in my props file "apache" when my sourcetype was "ApacheAccess". &nbsp;That helped me, but also, the regex above gave me the results. &nbsp;Splunk seems to be able to read the escaping / "\/" also.</P><P>&nbsp;</P><P>Thank you all.</P> Tue, 26 Oct 2021 19:08:32 GMT agentguerry 2021-10-26T19:08:32Z https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572503#M199531 <P>I am trying to set a regex that works when i use say regexr.com but doesn't apply in my transforms/props file.</P><P>I am wanting to not ingest any apache logs that contain: &nbsp;assets/js, assets/css, assets/img</P><P>I can set one up singular, and it works fine, but the two commented out lines, even though they work in a regex case, don't seem to apply in my transforms file. &nbsp;Any insight if I may be doing something wrong?<BR /><BR />Thank you for any assistance.</P><P>&nbsp;</P><P>[drop_assets]<BR />REGEX = .*assets\/js.*<BR />#REGEX = .*(assets\/js|assets\/css|assets\/img).*<BR />#REGEX = .*assets/js.*|.*assets/css.*|.*assets/img.*<BR />DEST_KEY = queue<BR />FORMAT = nullQueue</P><P>&nbsp;</P><P>[apache]<BR />TRANSFORMS-drop = drop_assets</P> Tue, 26 Oct 2021 16:44:27 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572503#M199531 agentguerry 2021-10-26T16:44:27Z https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572518#M199536 <P>Here's another regex to try.&nbsp; Note that the leading and trailing ".*" is implied unless the "^" or "$" anchor is used.</P><LI-CODE lang="markup">REGEX = assets\/(?:js|css|img)</LI-CODE> Tue, 26 Oct 2021 17:36:20 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572518#M199536 richgalloway 2021-10-26T17:36:20Z https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572523#M199538 <P>Also, slash ("/") doesn't need escaping.</P> Tue, 26 Oct 2021 18:04:33 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572523#M199538 PickleRick 2021-10-26T18:04:33Z https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572527#M199540 <P>regex101.com says otherwise.</P> Tue, 26 Oct 2021 18:32:37 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572527#M199540 richgalloway 2021-10-26T18:32:37Z https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572529#M199541 <P>regex101 highlits a lone slash as an eror because by default it considers the given regex as delimited by slashes (it's described as PHP-compatible). If you switch to Python mode, then slash will not be highlited as error, but double quotes will, since Python regexes are delimited by double quotes.</P><P>Splunk doesn't use either of those as delimiters so they don't need to be escaped.</P> Tue, 26 Oct 2021 18:45:02 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572529#M199541 PickleRick 2021-10-26T18:45:02Z https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572530#M199542 <P>in the end i think i made a simple mistake of naming my stanza in my props file "apache" when my sourcetype was "ApacheAccess". &nbsp;That helped me, but also, the regex above gave me the results. &nbsp;Splunk seems to be able to read the escaping / "\/" also.</P><P>&nbsp;</P><P>Thank you all.</P> Tue, 26 Oct 2021 19:08:32 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-a-nullQueue-multiple-strings/m-p/572530#M199542 agentguerry 2021-10-26T19:08:32Z