Getting Data In

How to check regexp rules from transforms.conf ?

New Member

I'm looking for a way (through a cmdline for example) to check whether my rules inside transforms.conf are correct or not ?
I've checked them with a grep of course in cmdline, but either I mis-understood the way transforms.conf works or there is an issue in the regexp (which I'd therefore like to validate).
My goal is that I don't want to send to the indexer all the lines that match one of the 4 regexp bellow.
I have I syslog VM on which I have a UF (ie: the conf bellow) and another VM : Splunk (indexer head) that receive data.

ideally I'd like to find a way to do something like:

Thanks a lot for your help.

TRANSFORMS-set= setnull-part1,setnull-part2,setnull-part3,setnull-part4

REGEX = created\s[0-9./]*->10.90.3.[35]/53
DEST_KEY = queue
FORMAT = nullQueue

REGEX = created\s10.90.3.[46]/[0-9]->[.0-9]/53
DEST_KEY = queue
FORMAT = nullQueue

REGEX = created\s10.20.139.3/
DEST_KEY = queue
FORMAT = nullQueue

DEST_KEY = queue
FORMAT = nullQueue


0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!