https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197720#M57158 <P>Yes, you need to restart splunkd - either from the outside, like restarting the service, or from the inside, in the GUI, or hit the refresh endpoint url;</P> <P><CODE>http(s)://your_splunk:8000/en-US/debug/refresh</CODE></P> <P>That will also reload most configs.</P> <P>Purely search-related configs, such as field extractions will be reloaded for each search.</P> <P>/k</P> Mon, 24 Mar 2014 19:46:33 GMT kristian_kolb 2014-03-24T19:46:33Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197711#M57149 <P>Hi All,</P> <P>I am having difficulty finding in-depth documentation on REGEX syntax, and I am attempting to filter out [WinEventLog:Security] logs from our central Splunk Instance by use of a heavy forwarder.</P> <P>On our Heavy Forwarder, we have the following filters setup:</P> <P>props.conf</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-security= npm-setnull, everythingElse </CODE></PRE> <P>Filter NPM account Security logs to nullQueue</P> <PRE><CODE>[npm-setnull] REGEX = (?msi)Account_Name="ACCOUNT@DOMAIN.COM" DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Send everything else to be indexed in the indexQueue</P> <PRE><CODE>[everythingElse] REGEX = . DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>This is currently not filtering any of the logs, and I feel thate the syntax is incorrect, but I can't find any solid documentation on how to format this. Can anyone help?</P> <P>Thank you in advance,r<BR /> Daniel</P> Fri, 21 Mar 2014 17:38:29 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197711#M57149 dscoland 2014-03-21T17:38:29Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197712#M57150 <P>You'll need to reverse the order in which the transforms are called from props.conf. Or in your case, just remove the [everythingElse] stanza and the reference to it. While it might seem a bit contra-intuitive, think of it like this;</P> <P>"All events will pass through all transforms in the specified order before being returned for further processing"</P> <P>It is not like there is some kind of 'break-on-match' processing. Thus, first setting the queue to nullQueue for some events, and then immediately resetting it back to indexQueue (for all events), will have the same results as not having any filtering at all.</P> <HR /> <P>UPDATE:</P> <P>Yes, wolverine is right. The field name <CODE>Account_Name</CODE> is a so-called 'cleaned' name, i.e, spaces are replaced with underscores etc. The <CODE>REGEX</CODE> must match the actual text in the event, i.e.;</P> <P><CODE>REGEX = Account\sName:\s+ACCOUNT@DOMAIN.COM</CODE> </P> <P>/k</P> <P>/K</P> Fri, 21 Mar 2014 21:12:02 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197712#M57150 kristian_kolb 2014-03-21T21:12:02Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197713#M57151 <P>Hi Kristian,</P> <P>Thank you for your response.</P> <P>I now have:</P> <P>[WinEventLog:Security]<BR /> TRANSFORMS-security= npm-setnull</P> <P>[npm-setnull]<BR /> REGEX = (?msi)Account_Name="<A href="mailto:NPM@EDM.LOCAL" target="_blank">NPM@EDM.LOCAL</A>"<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>It still appears not to be filtering. Do I need to restart the Heavy Forwarder instance?</P> <P>Daniel</P> Mon, 28 Sep 2020 16:12:29 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197713#M57151 dscoland 2020-09-28T16:12:29Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197714#M57152 <P>I think the issue might be with your REGEX:</P> <P>REGEX = (?m)Account_Name="<A href="mailto:ACCOUNT@DOMAIN.COM">ACCOUNT@DOMAIN.COM</A>"</P> Sat, 22 Mar 2014 00:44:38 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197714#M57152 the_wolverine 2014-03-22T00:44:38Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197715#M57153 <P>good spotting, wolverine! Updated my answer to reflect on this as well.</P> <P>/k</P> Sun, 23 Mar 2014 21:40:38 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197715#M57153 kristian_kolb 2014-03-23T21:40:38Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197716#M57154 <P>Hi wolverine!</P> <P>Thank you for your response. I am going to try this out. I know I probably sound like a broken record. But does Splunk provide REGEX documentation? I feel rather ignorant not understanding (?msi) and (?m) syntax; or is this provided elsewhere?</P> <P>Thanks for your help, guys.</P> <P>Daniel</P> Mon, 24 Mar 2014 12:37:26 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197716#M57154 dscoland 2014-03-24T12:37:26Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197717#M57155 <P>Hi dscoland,</P> <P><A href="http://www.regular-expressions.info">www.regular-expressions.info</A></P> <P>regexr.com</P> <P>are two commonly referenced guides for learning/testing regular expressions.</P> Mon, 24 Mar 2014 12:45:14 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197717#M57155 kristian_kolb 2014-03-24T12:45:14Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197718#M57156 <P>Awesome, thanks Kristian!</P> <P>As it turns out, this did not fix the issue. I will have to dig deeper in this.</P> <P>Thanks for your continued help, guys.<BR /> Daniel</P> Mon, 24 Mar 2014 14:18:22 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197718#M57156 dscoland 2014-03-24T14:18:22Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197719#M57157 <P>Thanks guys, I managed to get the filter working.</P> <P>I changed the field to look for the Logon Account</P> <P><CODE>[npm-setnull]<BR /> REGEX = Logon\sAccount:\snpm<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE></P> <P>But I believe the Splunkd service in Services.msc needs to be rebooted in order to start the filter.</P> <P>Regards!<BR /> Daniel</P> Mon, 24 Mar 2014 16:40:36 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197719#M57157 dscoland 2014-03-24T16:40:36Z https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197720#M57158 <P>Yes, you need to restart splunkd - either from the outside, like restarting the service, or from the inside, in the GUI, or hit the refresh endpoint url;</P> <P><CODE>http(s)://your_splunk:8000/en-US/debug/refresh</CODE></P> <P>That will also reload most configs.</P> <P>Purely search-related configs, such as field extractions will be reloaded for each search.</P> <P>/k</P> Mon, 24 Mar 2014 19:46:33 GMT https://community.splunk.com/t5/Splunk-Search/Heavy-Forwarder-REGEX-Filting-Issues/m-p/197720#M57158 kristian_kolb 2014-03-24T19:46:33Z