topic What would be the correct regular expression to capture lines that include these messages in my data? in Splunk Search

What would be the correct regular expression to capture lines that include these messages in my data?

lacrosse1991 — Mon, 15 May 2017 18:28:04 GMT

Hello,

I'm trying to set up my Splunk instance so that it filters out some lines and then leaves everything else. The lines that I'd like to remove contain one of the following values:

%ASA-6-302013
%ASA-6-302014
%ASA-6-302015
%ASA-6-302016

To filter out these lines, I added the following sections to my props.conf and transform.conf files

props.conf

 [cisco:asa]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
REGEX = %ASA-6-3020(13|14|15|16|20|21)
DEST_KEY = queue
FORMAT = nullQueue

But for some reason, syslog lines containing values other than what was listed above are being removed as well. Is there a change that I should make to my regular expression in order to get things working correctly?

Thank you

Re: What would be the correct regular expression to capture lines that include these messages in my data?

koshyk — Mon, 15 May 2017 19:25:34 GMT

I can't find anything major wrong in your regex. Except may be escape % using \%

 REGEX = \%ASA-6-3020(13|14|15|16)

Re: What would be the correct regular expression to capture lines that include these messages in my data?

alemarzu — Mon, 15 May 2017 20:08:00 GMT

Nothing weird but try adding another rule to your configuration to see what happens.

[cisco:asa]
 TRANSFORMS-null= setnull, not_filtered

[setnull]
REGEX = %ASA-6-3020(13|14|15|16|20|21)
DEST_KEY = queue
FORMAT = nullQueue 

[not_filtered]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Hope it helps.

Re: What would be the correct regular expression to capture lines that include these messages in my data?

maciep — Tue, 16 May 2017 01:33:18 GMT

a long shot, but is it possible that you have another stanza named setnull in a different transforms.conf that is winning the conflict? Maybe btool could be a quick check

splunk btool transforms list setnull --debug

Re: What would be the correct regular expression to capture lines that include these messages in my data?

MuS — Tue, 16 May 2017 02:52:06 GMT

Hi lacrosse1991,

Your config must be applied on the parsing layer, so if there are heavy weight forwarder along the way the props.conf and transforms.conf must be put on them,. See the docs for details about this http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline#Parsing_phase

Another thing to remember is that you need to restart your Splunk instance after you changed those config files.

Regarding the regex one thing that will speed it up, is to put the last two digits in a non-capturing group like this:

  %ASA-6-3020(?:13|14|15|16|20|21)

Works faster on regex101.com.

Hope this helps ...

cheers, MuS

Re: What would be the correct regular expression to capture lines that include these messages in my data?

lacrosse1991 — Tue, 16 May 2017 12:49:18 GMT

Thanks for your feedback. What advantage would this type of setup have over what I'm currently using?

Re: What would be the correct regular expression to capture lines that include these messages in my data?

lacrosse1991 — Tue, 16 May 2017 12:49:44 GMT

thanks! I'm going to see if this will work

Re: What would be the correct regular expression to capture lines that include these messages in my data?

woodcock — Wed, 17 May 2017 01:51:36 GMT

Also, only post-deploy, post-restart events will be effected (old events will stay broken).

Re: What would be the correct regular expression to capture lines that include these messages in my data?

lacrosse1991 — Tue, 06 Jun 2017 13:20:36 GMT

sorry about taking so long to respond, but thanks! things seem to be working properly now