Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to capture the whole lines where keyword matches using props.conf and transforms.conf

sureshkumaar
Path Finder
‎02-17-2025 02:23 AM

Feb 3 11:10:15 server-server-server-server systemd[1]: Removed slice User Slice of UID 0.

Feb 3 04:14:23 server-server-server-server rsyslogd[679024]: imjournal: 16021 messages lost due to rate-limiting (20000 allowed within 600 seconds)

Feb 3 11:01:01 server-server-server-server CROND[3905399]: (root) CMDEND (run-parts /etc/cron.hourly)

Feb 3 11:10:55 server-server-server-server esfdaemon[3938104]: 0

Feb 3 10:24:36 server-server-server-server auditd[2689]: Audit daemon rotating log files

Is there a way to capture the whole line where systemd, rsyslogd and auditd keyword matches using props.conf and transforms.conf?

Below captures till the specific keyword, how about remaining lines after the keyword?

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = ^\w{3}\s\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s+(?:[+\-A-Z0-9]*\s+)?(systemd|rsyslogd|auditd)
DEST_KEY = queue
FORMAT = indexQueue

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-17-2025 02:45 AM

Hi @sureshkumaar 

Are your events across multiple lines?

You might have more success with the following transform

[setParsing]
INGEST_EVAL = queue=IF(match(_raw, "systemd|rsyslogd|auditd"),queue,"nullQueue")

Then in your props.conf refer to this for your sourcetype

[yourSourcetype]
TRANSFORMS-filter1 = setParsing

This will set the queue depending on a match within the IF statement

 

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-17-2025 11:23 PM

Hi @sureshkumaar 

The value within the match command is actually a regular expressions (I used a pipedelimited list) so you could update this with a regex to match the filter you are looking for (e.g. hostname space keyword)?

You will only need the single INGEST_EVAL because it uses an IF statement and sets the queue to nullQueue if the match is not met.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Reply

sureshkumaar
Path Finder
‎02-17-2025 10:17 PM

Hi @livehybrid ,

Thanks for the reply.

I have 2 questions

1. The If condition which is given it will pick the events where ever the keyword matches right being the keyword whether at the start, middle, end of the events "systemd", "rsyslogd" and "auditd"

In my case i am looking for the events to be picked to a sourcetype when those keywords are there after the server name

server-server-server-server systemd

server-server-server-server rsyslogd

2. we need to have below one also right in props.conf to ignore other events getting forwarded to the sourcetype?

[sourcetype]

TRANSFORMS-set = setnull

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...