Splunk Search

Can we use regex for counting fields?

khanlarloo
Explorer

Hi

I have one question, is it possible to count the number of event in regex format for writing in transforms.conf?

0 Karma
1 Solution

493669
Super Champion

it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-

[setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = action=\"deny\"
 DEST_KEY = queue
 FORMAT = indexQueue

View solution in original post

0 Karma

493669
Super Champion

it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-

[setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = action=\"deny\"
 DEST_KEY = queue
 FORMAT = indexQueue
0 Karma

khanlarloo
Explorer

thank you, it workes now.

0 Karma

niketn
Legend

@khanlarloo I have converted @493669 's comment to Answer. Please accept the same to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please provide more details about what you are trying to do. What exactly are you trying to achieve via transforms.conf?

---
If this reply helps you, Karma would be appreciated.
0 Karma

khanlarloo
Explorer

i want my HF send specific field to my receiver and count the number of different strings,i configure props.conf and transforms.conf but it doesn't work,
i hav field named action=deny i want to send just this field to my receiver,and it count this field.

[setnull]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue

0 Karma

493669
Super Champion

can you try these setings:
in props.conf-

[sourcetypename]
TRANSFORMS-set= setnull,setparsing

Here make sure setnull stanza must appear first in the list.

in transforms.conf-

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue

khanlarloo
Explorer

i try this but it doesn't work,when i do this i don't receive any logs

0 Karma

khanlarloo
Explorer

here is my event
Aug 26 13:57:02 192.168.X.3 date=2018-08-26 time=13:51:33 devname="FGT-Lab" devid="FGT" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1535275293 srcip=192.168.X.100 srcport=18730 srcintf="wan1" srcintfrole="wan" dstip=192.168.X.3 dstport=8443 dstintf="root" dstintfrole="undefined" sessionid=5399 proto=6 action="close" policyid=1 policytype="local-in-policy" service="tcp/8443" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=3 sentbyte=5166 rcvdbyte=204729 sentpkt=81 rcvdpkt=150 appcat="unscanned"

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...