Getting Data In

Negation in Transforms.conf

abhayneilam
Contributor

Hi,
I have a lot in which the below lines are coming

AAA good
BBB good
AAA good
CCC good
DDD bad
AAA bad

I want to nullify the lines which does not have "AAA good" sting. please help me in writing the transforms.conf :

[AAA_GOOD]
REGEX = (?!)AAA\sgood
DEST_KEY = queue
FORMAT = nullQueue

Please help !!

Tags (2)
0 Karma

MuS
Legend

Hi abhayneilam,

use this regex and it will only match AAA good:

^(?!.*AAA\sgood$).*

cheers, MuS

abhayneilam
Contributor

If my value is something like :

AAA\s[good\sverygood\swow]

then it should be like

[^AAA\s[good.verygood.wow]] right ? please suggest !!

0 Karma

MuS
Legend

those \s literal or regex spaces?

0 Karma

abhayneilam
Contributor

I am giving \s for denoting spaces and also giving \ before .

I have a string like

blah blah AAA [good.verygood.wow] blah blah

0 Karma

MuS
Legend

How about the docs approach of nulling everything and explicitly keep only the AAA [good events like this:

In props.conf:

[AAA_GOOD]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = AAA\s\[good
DEST_KEY = queue
FORMAT = indexQueue

I tend to setup things the way you can remember what they mean in two years from now.

abhayneilam
Contributor

I have done :

in props.conf

[AAA_GOOD]
SHOULD_LINEMERGE = false
TRANSFORMS-set = setnull,setparsing,add_host,BBB_MORE

in transforms.conf

[setnull]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = AAA\s[good
DEST_KEY = queue
FORMAT = AAA_Index

[add_host]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(.*)$
FORMAT = HS="$1" $0
DEST_KEY = _raw

[BBB_MORE]
REGEX=^(.?)\s(\d+-\d+-\d+)\s(\d+:\d+:\d+,\d+)\sAAA\s[good]\s[\d+]\s(\w+)\s::\s(.)
FORMAT=$1 AA=aa BB=bb CC="$2T$3" DD=$4 EE=$5
DEST_KEY = _raw

Please let me know if this is correct.

I am using my own index name "AAA_Index" instead of "indexQueue" in props.conf suggested by you. Is it correct ?

0 Karma

MuS
Legend

No that's wrong, you cannot specify an index in this case, because the DEST_KEY is queue. If you want to rewrite the index you must use this:

DEST_KEY = _MetaData:Index
FORMAT = AAA_Index

And as hint: provide such information in the initial question 😉 makes it easier to answer 🙂

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...