Splunk Search

Can we use regex for counting fields?

Explorer

Hi

I have one question, is it possible to count the number of event in regex format for writing in transforms.conf?

0 Karma
1 Solution

Super Champion

it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-

[setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = action=\"deny\"
 DEST_KEY = queue
 FORMAT = indexQueue

View solution in original post

0 Karma

Super Champion

it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-

[setnull]
 REGEX = .
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = action=\"deny\"
 DEST_KEY = queue
 FORMAT = indexQueue

View solution in original post

0 Karma

Explorer

thank you, it workes now.

0 Karma

Legend

@khanlarloo I have converted @493669 's comment to Answer. Please accept the same to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Please provide more details about what you are trying to do. What exactly are you trying to achieve via transforms.conf?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

i want my HF send specific field to my receiver and count the number of different strings,i configure props.conf and transforms.conf but it doesn't work,
i hav field named action=deny i want to send just this field to my receiver,and it count this field.

[setnull]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue

0 Karma

Super Champion

can you try these setings:
in props.conf-

[sourcetypename]
TRANSFORMS-set= setnull,setparsing

Here make sure setnull stanza must appear first in the list.

in transforms.conf-

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue

Explorer

i try this but it doesn't work,when i do this i don't receive any logs

0 Karma

Explorer

here is my event
Aug 26 13:57:02 192.168.X.3 date=2018-08-26 time=13:51:33 devname="FGT-Lab" devid="FGT" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1535275293 srcip=192.168.X.100 srcport=18730 srcintf="wan1" srcintfrole="wan" dstip=192.168.X.3 dstport=8443 dstintf="root" dstintfrole="undefined" sessionid=5399 proto=6 action="close" policyid=1 policytype="local-in-policy" service="tcp/8443" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=3 sentbyte=5166 rcvdbyte=204729 sentpkt=81 rcvdpkt=150 appcat="unscanned"

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!