Archive
Highlighted

REGEX filter in transforms.conf file setting question

New Member

We're forwarding events to a 3rd party. In our transforms.conf file, the filter looks like the following

REGEX = .

For some reason, this filter capture names without any hyphens. Here's what I'm talking about

Success - Computer
Failure - Co-m-puter

We have computer names with the '-' in them but they don't get captured. Is there a better wild card string that can be used to capture all computer names, regardless of what characters are in them.

Thanks!

Tags (1)
0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

Champion

REGEX = . isn't capturing names at all. It's not capturing anything, and it matches anything. I think you're looking at the wrong transform.

0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

SplunkTrust
SplunkTrust

If you share some sample data and your transforms.conf settings we can help better.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

New Member

Here's some additional info. Let me know if this is helpful.

Thank you

Props.conf

[host::*]
TRANSFORMS-main = test_eventlogs

Transforms.conf

[testeventlogs]
REGEX = .
DEST
KEY = SYSLOGROUTING
FORMAT = windowsworkstationsmain

Outputs.conf

[syslog:windowsworkstationsmain]
server = my.destination.com
sendCookedData = true

0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

Champion

That configuration tells Splunk where to send the data (in this case by syslog to my.destination.com). That is uninvolved in the parsing of the data.

Can you include props.conf (from the search head, not the forwarder) for the sourcetype in question?

0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

New Member

This is from the search head.

0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

New Member

This is the complete props.conf

[setsourcetypetostash]
REGEX = .
DEST
KEY = MetaData:Sourcetype
FORMAT = sourcetype::stash

[extract_spent]
REGEX = (?P\d+)ms$

[eliminate-eventcodes]
REGEX = EventCode=(0000)
DEST_KEY = queue
FORMAT = nullQueue

[wstneventlogs]
REGEX = .
DEST
KEY = SYSLOGROUTING
FORMAT = windowsworkstationsmain

0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

SplunkTrust
SplunkTrust

The REGEX string "." matches any single character, which is probably not what you want.
If you share some sample data and let us know what you want extracted from it we can probably help create a working regex.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

New Member

Basically, we have computer names that are whole words without any non-characters in the name (i.e. Computer01) and we have names with non-characters in them (i.e. Computer-01). It looks like the filter only matches the 1st, names with only characters and numbers. I need to capture all names, including the ones with '-' in them.

Any help would be appreciated.

0 Karma
Highlighted

Re: REGEX filter in transforms.conf file setting question

Champion

The issue is we still haven't seen the regex that is matching computer names. None of the transforms you posted above show that extraction.

Can you show the props.conf configuration for the sourcetype of this data that is being improperly extracted?

0 Karma