Getting Data In

How to check regexp rules from transforms.conf ?

New Member

I'm looking for a way (through a cmdline for example) to check whether my rules inside transforms.conf are correct or not ?
I've checked them with a grep of course in cmdline, but either I mis-understood the way transforms.conf works or there is an issue in the regexp (which I'd therefore like to validate).
My goal is that I don't want to send to the indexer all the lines that match one of the 4 regexp bellow.
I have I syslog VM on which I have a UF (ie: the conf bellow) and another VM : Splunk (indexer head) that receive data.

ideally I'd like to find a way to do something like:

Thanks a lot for your help.

TRANSFORMS-set= setnull-part1,setnull-part2,setnull-part3,setnull-part4

REGEX = created\s[0-9./]*->10.90.3.[35]/53
DEST_KEY = queue
FORMAT = nullQueue

REGEX = created\s10.90.3.[46]/[0-9]->[.0-9]/53
DEST_KEY = queue
FORMAT = nullQueue

REGEX = created\s10.20.139.3/
DEST_KEY = queue
FORMAT = nullQueue

DEST_KEY = queue
FORMAT = nullQueue


0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...