Splunk Search

How to achieve regex for ingest actions to match a list of EventCodes?

garrywilmeth
Explorer

Hello,

I am trying to get regex to work in ingest actions to match a list of event codes from Window Security Logs.  

The following regex matches sample text on regex101.com

 

^(EventCode=(1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447))$

 

But it doesn't find in matches when using in ingest actions.

Given the eventcodes listed above, can someone assist me with finding the correct regex that will work inside of ingest actions?

 

Thanks!

 

Screenshot 2023-02-01 at 6.55.55 AM.pngScreenshot 2023-02-01 at 6.53.43 AM.png

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Eliminate the ^ and $ from the regex.  The position of the matching text within the line/event doesn't matter and it's unlikely there will be a random "EventCode=4689" in other events.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Eliminate the ^ and $ from the regex.  The position of the matching text within the line/event doesn't matter and it's unlikely there will be a random "EventCode=4689" in other events.

---
If this reply helps you, Karma would be appreciated.

garrywilmeth
Explorer

@richgalloway How could I flip that so the regex matches anything that is not in that list?

Thanks,

Garry

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Regex doesn't do negation well, but you can try this

EventCode=(?!1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447)
---
If this reply helps you, Karma would be appreciated.
0 Karma

garrywilmeth
Explorer

Beautiful!  Too easy 🙂

 

Thanks so much.

0 Karma
Get Updates on the Splunk Community!

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...