Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to add two fields using regex in transforms.conf to filter out certain events from checkpoint data?

dfigurello
Communicator
‎10-29-2014 11:05 AM

Hi everyone,

I need help to create a better regex in my transforms.conf. I am filtering checkpoint data in my Splunk.
In this case, I don't want collect the following event
sourcetype=opsec action=allowed src=172.20.1.1
OR
sourcetype=opsec action=allowed src=172.20.1.2

I created the props.conf and transforms.conf:

props.conf:
[opsec]
TRANSFORMS-t1 = eliminate_opsec 

transforms.conf
[eliminate_opsec]
REGEX = (src\=172.20.1.1|src\=172.20.1.2)
DEST_KEY = queue
FORMAT = nullQueue

I need add in the regex, the field action=allowed.
How do I do add this function ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dfigurello
Communicator
‎10-29-2014 03:35 PM

alt text

View solution in original post

Preview file
102 KB
Reply
Solved! Jump to solution
Solution

dfigurello
Communicator
‎10-29-2014 03:35 PM

alt text

Preview file
102 KB
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2014 05:08 AM

What I see is an event that was indexed because it did not match the regex string in the eliminate_opsec stanza. The match failed because the IP address was not one of the two in the regex. If that is not the expected behavior then please restate the requirements.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-30-2014 05:43 AM

Hi richgalloway,

It just example, because I can't show real address ip.
I am changing the values (address ip) in transforms.conf, according with requirements.

Tks,

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-30-2014 06:01 AM

I believe there is a stray backslash in the regex string. Try this one:

(action=allowed(.*)(src=172\.20\.1\.1|src=172\.20\.1\.2))
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-30-2014 11:23 AM

Hi Richgalloway!

it worked really well!
Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-29-2014 11:13 AM

This matches the examples you gave.

REGEX = action=allowed\s+(src=172.20.1.1|src=172.20.1.2)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-29-2014 11:33 AM

Hi Richgalloway,

I tried but not works.

REGEX = action=allowed\s+(src=172.20.1.1|src=172.20.1.2)

and then i tried this:

REGEX = action\=allowed\s+(src\=172.20.1.1|src\=172.20.1.2)

Cheers!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-29-2014 12:50 PM

Try this as well

REGEX = action=allowed(.*)(src=172\.20\.\1\.1|src=172\.20\.1\.2)
0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-30-2014 11:24 AM

Thanks a lot too Somesoni2.
:)

0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-29-2014 01:05 PM

Unfortunately no.

When I remove action=allowed, my regex works well.
Any idea?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-29-2014 01:14 PM

Try this:

REGEX = (action=allowed(.*)(src=172\.20\.\1\.1|src=172\.20\.1\.2))
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-29-2014 03:34 PM

Unfortunately no.

Look above the picture:
Cheers!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-29-2014 12:47 PM

Did 2nd option work?

0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-29-2014 12:51 PM

Hi Somesoni2,

No.
:(

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-29-2014 11:07 AM

Can you post some sample raw data?

0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎10-29-2014 11:32 AM

Sure.

loc=17389746|time=29Oct2014 16:28:39|action=allowed|orig=172.20.1.1|i/f_dir=inbound|i/f_name=eth3|has_accounting=0|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={000000E0-003F-0046-93C9-1F533951F91E};mgmt=gerfw;date=1414530153;policy_name=example1]|inzone=Internal|outzone=External|service_id=http|src=172.20.1.1|s_port=58077|dst=173.xxx.yyy.57|service=80|proto=tcp|xlatesrc=172.20.1.xx|xlatesport=29365|xlatedport=0|NAT_rulenum=267|NAT_addtnl_rulenum=1|rule=781

Cheers!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...