Splunk Search

Filter field from certain events through a regex transform

bagaeva
Engager

Hello i need filter fields but only on certain events.

Sample events:

1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_cr = 56 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624 

1508735662.348 d = a event = cup fI = "2017-10-22 17: 26: 37.000" serv = ru_1 sn = u_cl = 1 u_cr = 300 u_geo = RU u_id = 1256228 u_mn = 595 u_pvp = 0 u_sd = 600 u_st = 700 u_wd = 760 u_wl = 1 

The field u_cr = 56 must be removed only from the first (event = vil). In the second (event = cup), it should not change.

After filter the first event looks like:

1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624

I,m use regex transform:

In props.conf:

[compact]
TRANSFORMS-eventvil = vilcut

In transforms.conf:

[vilcut]
REGEX = (event=vil.*)u_cr=.[^ \?]*(.*)$
FORMAT = $1::$2
DEST_KEY = _raw

But field u_cr don't change. What am I doing wrong?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bagaeva
see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Anyway, you have to modify:
props.conf

[compact]
 TRANSFORMS-eventvil = vilcut,setnull

transforms.conf

 [vilcut]
 REGEX = .
 DEST_KEY = queue
FORMAT = indexQueue
 [setnull]
 REGEX = event \= vil.*u_cr \= 56
 DEST_KEY = queue
FORMAT = nullQueue

Check this regex at https://regex101.com/r/dLMByF/1 .

Bye.
Giuseppe

0 Karma

bagaeva
Engager

Thanks, i'm use regexp - event \= vil.*u_cr \= .[^ \?]*

[vilcut]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
[setnull]
REGEX = event \= vil.*u_cr \= .[^ \?]*
DEST_KEY = queue
FORMAT = nullQueue

Check this regex at https://regex101.com/r/dLMByF/2

With this configuration, Splunk filters the event = vil event completely. I need filter only field u_cr=.[^ \?]* only in event=vil.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...