Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TRANSFORMS-null = setnull

gitingua
Communicator
‎11-10-2021 03:13 AM
  1. In props.conf, set the TRANSFORMS-null attribute:
    [ActiveDirectory]
TRANSFORMS-null= setnull
  2. Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
    [setnull]
REGEX = \[ms_Mcs_AdmPwdExpirationTime\]
DEST_KEY = queue
FORMAT = nullQueue
  3. Restart Splunk Enterprise.

    field = ms_Mcs_AdmPwdExpirationTime
    the values ​​are still in the index
    Not working.  what did I indicate wrong?
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2021 05:25 AM

There likely is an error in the regex, but to know that for sure we'll need to see some example data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gitingua
Communicator
‎11-10-2021 01:21 PM

@richgalloway 

example

2Wc23q

C23gAwe3

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2021 05:40 AM

There's the problem.  The example data does not match the regex since none of them contain the string "ms_Mcs_AdmPwdExpirationTime".  You'll have to find a regular expression that matches all expected strings you wish to send to the null queue.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gitingua
Communicator
‎11-11-2021 05:49 AM

I was wrong. given string. "ms_Mcs_AdmPwd" there are random symbols of the unit and letters

@richgalloway 

0 Karma
Reply

gitingua
Communicator
‎11-11-2021 05:12 PM

@richgalloway 

props.conf

[ActiveDirectory]

TRANSFORMS-null = setnull

 

transforms.conf

[setnull]

REGEX = ms-Mcs-AdmPwd\s*=(.*)

DEST_KEY = queue

FORMAT = nullQueue

 

 

not working

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2021 05:16 AM

Again, to properly diagnose a regex problem we need to see the events that are to be matched.  Not just a tiny snippet, either.  Feel free to anonymize sensitive data.

Have you tested your regular expressions on a site like regex101.com?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gitingua
Communicator
‎11-12-2021 06:23 AM

 

@richgalloway 

Снимок экрана 2021-11-12 в 17.21.43.png

 

yes. check in regex101. enable. 

tried different regex methods working. now standing which is in the picture above

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...