Solved: Re: Can we use regex for counting fields?

khanlarloo · ‎08-25-2018

Hi

I have one question, is it possible to count the number of event in regex format for writing in transforms.conf?

493669 · ‎08-26-2018

it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-

[setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = action=\"deny\"
 DEST_KEY = queue
 FORMAT = indexQueue

View solution in original post

493669 · ‎08-26-2018

it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-

[setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = action=\"deny\"
 DEST_KEY = queue
 FORMAT = indexQueue

khanlarloo · ‎08-27-2018

thank you, it workes now.

niketn · ‎08-28-2018

@khanlarloo I have converted @493669 's comment to Answer. Please accept the same to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway · ‎08-25-2018

Please provide more details about what you are trying to do. What exactly are you trying to achieve via transforms.conf?

---
If this reply helps you, Karma would be appreciated.

khanlarloo · ‎08-25-2018

i want my HF send specific field to my receiver and count the number of different strings,i configure props.conf and transforms.conf but it doesn't work,
i hav field named action=deny i want to send just this field to my receiver,and it count this field.

[setnull]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue

493669 · ‎08-26-2018

can you try these setings:
in props.conf-

[sourcetypename]
TRANSFORMS-set= setnull,setparsing

Here make sure setnull stanza must appear first in the list.

in transforms.conf-

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue

khanlarloo · ‎08-26-2018

i try this but it doesn't work,when i do this i don't receive any logs

khanlarloo · ‎08-26-2018

here is my event
Aug 26 13:57:02 192.168.X.3 date=2018-08-26 time=13:51:33 devname="FGT-Lab" devid="FGT" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1535275293 srcip=192.168.X.100 srcport=18730 srcintf="wan1" srcintfrole="wan" dstip=192.168.X.3 dstport=8443 dstintf="root" dstintfrole="undefined" sessionid=5399 proto=6 action="close" policyid=1 policytype="local-in-policy" service="tcp/8443" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=3 sentbyte=5166 rcvdbyte=204729 sentpkt=81 rcvdpkt=150 appcat="unscanned"

Can we use regex for counting fields?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation