Splunk Search

How to add two REGEXes to transforms.conf?

dmccabe2
New Member

Hi,

I need to add two RegEx to transforms.conf and props.conf. If I add one block of code, testing each REGEX independently works.

If I duplicate the same block of code adding another REGEX, it fails.

I assume it's related to using the same variables but am uncertain.

WORKS:

  PROPS FILE: (PROPS.CONF):
  =======================
  [source::/path/to/your/access.log*]
  TRANSFORMS-null= setnull

  TRANSFORM FILE:  (transform.conf):
  ==============================
  [setnull]
  REGEX = \"GET\s\/pictures
  DEST_KEY = queue
  FORMAT = nullQueue

PROBLEM:

PROPS FILE: (PROPS.CONF):
=======================
[source::/path/to/your/access.log*]
TRANSFORMS-null= setnull

TRANSFORM FILE:  (transform.conf):
==============================
[setnull]
REGEX = \"GET\s\/t_static\/clients\/(.*)\/images
DEST_KEY = queue
FORMAT = nullQueue

Thanks,

0 Karma

gyarici
Path Finder

Hi,

what i understood is you want to use multiple regex for similar log lines. As soon as you determined Regex1 and Regex2, you should use this structure below to have 1 regex query.

REGEX = (Regex1|Regex2) in your transform.conf

Hope it is ok.

Thanks

Gokhan

dmccabe2
New Member

Thak you so much I will try

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share examples of the strings you're trying to match.

---
If this reply helps you, an upvote would be appreciated.
0 Karma