How to check regexp rules from transforms.conf ?

ucp_djaity · ‎02-08-2018

Hi,
I'm looking for a way (through a cmdline for example) to check whether my rules inside transforms.conf are correct or not ?
I've checked them with a grep of course in cmdline, but either I mis-understood the way transforms.conf works or there is an issue in the regexp (which I'd therefore like to validate).
My goal is that I don't want to send to the indexer all the lines that match one of the 4 regexp bellow.
I have I syslog VM on which I have a UF (ie: the conf bellow) and another VM : Splunk (indexer head) that receive data.

ideally I'd like to find a way to do something like:
check_transform.sh

Thanks a lot for your help.
regards.
JT

props.conf
[syslog-mgmt]
TRANSFORMS-set= setnull-part1,setnull-part2,setnull-part3,setnull-part4

transforms.conf
[setnull-part1]
REGEX = created\s[0-9./]*->10.90.3.[35]/53
DEST_KEY = queue
FORMAT = nullQueue

[setnull-part2]
REGEX = created\s10.90.3.[46]/[0-9]->[.0-9]/53
DEST_KEY = queue
FORMAT = nullQueue

[setnull-part3]
REGEX = created\s10.20.139.3/
DEST_KEY = queue
FORMAT = nullQueue

[setnull-part4]
REGEX = >10.100.105.1/137
DEST_KEY = queue
FORMAT = nullQueue

~
~

How to check regexp rules from transforms.conf ?

Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >