Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to check regexp rules from transforms.conf ?

ucp_djaity
New Member
‎02-08-2018 11:29 AM

Hi,
I'm looking for a way (through a cmdline for example) to check whether my rules inside transforms.conf are correct or not ?
I've checked them with a grep of course in cmdline, but either I mis-understood the way transforms.conf works or there is an issue in the regexp (which I'd therefore like to validate).
My goal is that I don't want to send to the indexer all the lines that match one of the 4 regexp bellow.
I have I syslog VM on which I have a UF (ie: the conf bellow) and another VM : Splunk (indexer head) that receive data.

ideally I'd like to find a way to do something like:
check_transform.sh

Thanks a lot for your help.
regards.
JT

props.conf
[syslog-mgmt]
TRANSFORMS-set= setnull-part1,setnull-part2,setnull-part3,setnull-part4

transforms.conf
[setnull-part1]
REGEX = created\s[0-9./]*->10.90.3.[35]/53
DEST_KEY = queue
FORMAT = nullQueue

[setnull-part2]
REGEX = created\s10.90.3.[46]/[0-9]->[.0-9]/53
DEST_KEY = queue
FORMAT = nullQueue

[setnull-part3]
REGEX = created\s10.20.139.3/
DEST_KEY = queue
FORMAT = nullQueue

[setnull-part4]
REGEX = >10.100.105.1/137
DEST_KEY = queue
FORMAT = nullQueue

~
~

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...