Solved: Re: Regex needed for sourcetype forcing

maria1991 · ‎01-18-2022

Hi All

I have a sourcetype in which we have some events with a keyword like asdf. In some events it comes in between and some events at the end.

I need to forward all these logs to another sourcetype with props and transforms.

[generic_sourcetype_routing_asdf]
REGEX =
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::asdf_logs

props.conf

[current_sourcetype]
TRANSFORMS-sourcetype_routing = generic_sourcetype_routing_asdf

In the REGEX part I would like to know if only keeping asdf or *asdf * would work. I can't put the regex for complete log format since there are multiple formats. So I need to inform splunk to pass any event with asdf anywhere in it should be forwarded to the new one. Please suggest.

Thanks

Maria Arokiaraj

richgalloway · ‎01-18-2022

*asdf* is not a valid regular expression. Use asdf. There is an implied wildcard at the beginning and end of every regex unless specified otherwise with ^ and/or $.

regex101.com is a great place to test expressions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

maria1991 · ‎01-19-2022

Just adding the keyword asdf worked for me 🙂 Thanks

richgalloway · ‎01-18-2022

*asdf* is not a valid regular expression. Use asdf. There is an implied wildcard at the beginning and end of every regex unless specified otherwise with ^ and/or $.

regex101.com is a great place to test expressions.

---
If this reply helps you, Karma would be appreciated.

Regex needed for sourcetype forcing

other

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience