Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to filter out messages to nullQueue that contain stringA, but keep messages that contain both stringB and stringA?

Volto
Path Finder
‎06-08-2016 02:40 PM

Hi,

We are filtering messages from our Cisco ASA logs that contain Teardown and Buildup, but we recently wanted to include messages that include SYN Timeout.

The problem with the messages that contain the SYN Timeout also contain Teardown, which are getting filtered out by our transforms.conf file.

My question: Is there a way for us to filter out the messages that contain Teardown, but keep the messages that keep SYN Timeout even though they contain the Teardown string?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2016 11:02 PM

I do not know the format of your logs but let us suppose it is something like this:

timestamp blah blah SYN Timeout blah blah Teardown blah blah

Then you can use a negative lookahead like this in transforms.conf to throw away ones with SYN Timeout but not Teardown:

[setnull]
REGEX = SYN Timeout(?!.*Teardown)
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2016 11:02 PM

I do not know the format of your logs but let us suppose it is something like this:

timestamp blah blah SYN Timeout blah blah Teardown blah blah

Then you can use a negative lookahead like this in transforms.conf to throw away ones with SYN Timeout but not Teardown:

[setnull]
REGEX = SYN Timeout(?!.*Teardown)
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply
Solved! Jump to solution

Volto
Path Finder
‎06-09-2016 05:56 AM

The log format looks like this;

blah blah blah Teardown blah blah blah SYN Timeout

I ended up using a regex like this for matching those that contained Teardown, which we wanted to throw away, but keep that had SYN Timeout, which we wanted to keep.

\s+(Teardown(?!.*SYN\sTimeout))\s+

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...