Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can we use regex for counting fields?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khanlarloo
Explorer
08-25-2018
12:31 AM
Hi
I have one question, is it possible to count the number of event in regex format for writing in transforms.conf?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
08-26-2018
04:44 AM
it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=\"deny\"
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
08-26-2018
04:44 AM
it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=\"deny\"
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khanlarloo
Explorer
08-27-2018
11:00 PM
thank you, it workes now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
08-28-2018
12:16 AM
@khanlarloo I have converted @493669 's comment to Answer. Please accept the same to mark this question as answered!
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
08-25-2018
10:27 AM
Please provide more details about what you are trying to do. What exactly are you trying to achieve via transforms.conf?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khanlarloo
Explorer
08-25-2018
11:08 PM
i want my HF send specific field to my receiver and count the number of different strings,i configure props.conf and transforms.conf but it doesn't work,
i hav field named action=deny i want to send just this field to my receiver,and it count this field.
[setnull]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
08-26-2018
02:19 AM
can you try these setings:
in props.conf-
[sourcetypename]
TRANSFORMS-set= setnull,setparsing
Here make sure setnull stanza must appear first in the list.
in transforms.conf-
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khanlarloo
Explorer
08-26-2018
03:15 AM
i try this but it doesn't work,when i do this i don't receive any logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khanlarloo
Explorer
08-26-2018
04:07 AM
here is my event
Aug 26 13:57:02 192.168.X.3 date=2018-08-26 time=13:51:33 devname="FGT-Lab" devid="FGT" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1535275293 srcip=192.168.X.100 srcport=18730 srcintf="wan1" srcintfrole="wan" dstip=192.168.X.3 dstport=8443 dstintf="root" dstintfrole="undefined" sessionid=5399 proto=6 action="close" policyid=1 policytype="local-in-policy" service="tcp/8443" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=3 sentbyte=5166 rcvdbyte=204729 sentpkt=81 rcvdpkt=150 appcat="unscanned"
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
