Getting Data In
Highlighted

Negation in Transforms.conf

Contributor

Hi,
I have a lot in which the below lines are coming

AAA good
BBB good
AAA good
CCC good
DDD bad
AAA bad

I want to nullify the lines which does not have "AAA good" sting. please help me in writing the transforms.conf :

[AAAGOOD]
REGEX = (?!)AAA\sgood
DEST
KEY = queue
FORMAT = nullQueue

Please help !!

Tags (2)
0 Karma
Highlighted

Re: Negation in Transforms.conf

SplunkTrust
SplunkTrust

Hi abhayneilam,

use this regex and it will only match AAA good:

^(?!.*AAA\sgood$).*

cheers, MuS

Highlighted

Re: Negation in Transforms.conf

Contributor

If my value is something like :

AAA\s[good\sverygood\swow]

then it should be like

[^AAA\s[good.verygood.wow]] right ? please suggest !!

0 Karma
Highlighted

Re: Negation in Transforms.conf

SplunkTrust
SplunkTrust

those \s literal or regex spaces?

0 Karma
Highlighted

Re: Negation in Transforms.conf

Contributor

I am giving \s for denoting spaces and also giving \ before .

I have a string like

blah blah AAA [good.verygood.wow] blah blah

0 Karma
Highlighted

Re: Negation in Transforms.conf

SplunkTrust
SplunkTrust

How about the docs approach of nulling everything and explicitly keep only the AAA [good events like this:

In props.conf:

[AAA_GOOD]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = AAA\s\[good
DEST_KEY = queue
FORMAT = indexQueue

I tend to setup things the way you can remember what they mean in two years from now.

Highlighted

Re: Negation in Transforms.conf

Contributor

I have done :

in props.conf

[AAAGOOD]
SHOULD
LINEMERGE = false
TRANSFORMS-set = setnull,setparsing,addhost,BBBMORE

in transforms.conf

[setnull]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = AAA\s[good
DESTKEY = queue
FORMAT = AAA
Index

[addhost]
SOURCE
KEY = MetaData:Host
REGEX = ^host::(.*)$
FORMAT = HS="$1" $0
DEST_KEY = _raw

[BBBMORE]
REGEX=^(.?)\s(\d+-\d+-\d+)\s(\d+:\d+:\d+,\d+)\sAAA\s[good]\s[\d+]\s(\w+)\s::\s(.)
FORMAT=$1 AA=aa BB=bb CC="$2T$3" DD=$4 EE=$5
DEST
KEY = _raw

Please let me know if this is correct.

I am using my own index name "AAA_Index" instead of "indexQueue" in props.conf suggested by you. Is it correct ?

0 Karma
Highlighted

Re: Negation in Transforms.conf

SplunkTrust
SplunkTrust

No that's wrong, you cannot specify an index in this case, because the DEST_KEY is queue. If you want to rewrite the index you must use this:

DEST_KEY = _MetaData:Index
FORMAT = AAA_Index

And as hint: provide such information in the initial question 😉 makes it easier to answer 🙂

0 Karma