Splunk Search

How to achieve regex for ingest actions to match a list of EventCodes?

garrywilmeth
Explorer

Hello,

I am trying to get regex to work in ingest actions to match a list of event codes from Window Security Logs.  

The following regex matches sample text on regex101.com

 

^(EventCode=(1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447))$

 

But it doesn't find in matches when using in ingest actions.

Given the eventcodes listed above, can someone assist me with finding the correct regex that will work inside of ingest actions?

 

Thanks!

 

Screenshot 2023-02-01 at 6.55.55 AM.pngScreenshot 2023-02-01 at 6.53.43 AM.png

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Eliminate the ^ and $ from the regex.  The position of the matching text within the line/event doesn't matter and it's unlikely there will be a random "EventCode=4689" in other events.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Eliminate the ^ and $ from the regex.  The position of the matching text within the line/event doesn't matter and it's unlikely there will be a random "EventCode=4689" in other events.

---
If this reply helps you, Karma would be appreciated.

garrywilmeth
Explorer

@richgalloway How could I flip that so the regex matches anything that is not in that list?

Thanks,

Garry

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Regex doesn't do negation well, but you can try this

EventCode=(?!1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447)
---
If this reply helps you, Karma would be appreciated.
0 Karma

garrywilmeth
Explorer

Beautiful!  Too easy 🙂

 

Thanks so much.

0 Karma
Get Updates on the Splunk Community!

Notification Email Migration Announcement

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email Service (SES) ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...