Splunk Search

How to add two fields using regex in transforms.conf to filter out certain events from checkpoint data?

dfigurello
Communicator

Hi everyone,

I need help to create a better regex in my transforms.conf. I am filtering checkpoint data in my Splunk.
In this case, I don't want collect the following event
sourcetype=opsec action=allowed src=172.20.1.1
OR
sourcetype=opsec action=allowed src=172.20.1.2

I created the props.conf and transforms.conf:

props.conf:
[opsec]
TRANSFORMS-t1 = eliminate_opsec 

transforms.conf
[eliminate_opsec]
REGEX = (src\=172.20.1.1|src\=172.20.1.2)
DEST_KEY = queue
FORMAT = nullQueue

I need add in the regex, the field action=allowed.
How do I do add this function ?

0 Karma
1 Solution

dfigurello
Communicator

dfigurello
Communicator

alt text

richgalloway
SplunkTrust
SplunkTrust

What I see is an event that was indexed because it did not match the regex string in the eliminate_opsec stanza. The match failed because the IP address was not one of the two in the regex. If that is not the expected behavior then please restate the requirements.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dfigurello
Communicator

Hi richgalloway,

It just example, because I can't show real address ip.
I am changing the values (address ip) in transforms.conf, according with requirements.

Tks,

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe there is a stray backslash in the regex string. Try this one:

(action=allowed(.*)(src=172\.20\.1\.1|src=172\.20\.1\.2))
---
If this reply helps you, Karma would be appreciated.

dfigurello
Communicator

Hi Richgalloway!

it worked really well!
Thanks a lot.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This matches the examples you gave.

REGEX = action=allowed\s+(src=172.20.1.1|src=172.20.1.2)
---
If this reply helps you, Karma would be appreciated.
0 Karma

dfigurello
Communicator

Hi Richgalloway,

I tried but not works.

REGEX = action=allowed\s+(src=172.20.1.1|src=172.20.1.2)

and then i tried this:

REGEX = action\=allowed\s+(src\=172.20.1.1|src\=172.20.1.2)

Cheers!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this as well

REGEX = action=allowed(.*)(src=172\.20\.\1\.1|src=172\.20\.1\.2)
0 Karma

dfigurello
Communicator

Thanks a lot too Somesoni2.
:)

0 Karma

dfigurello
Communicator

Unfortunately no.

When I remove action=allowed, my regex works well.
Any idea?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

REGEX = (action=allowed(.*)(src=172\.20\.\1\.1|src=172\.20\.1\.2))
---
If this reply helps you, Karma would be appreciated.
0 Karma

dfigurello
Communicator

Unfortunately no.

Look above the picture:
Cheers!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Did 2nd option work?

0 Karma

dfigurello
Communicator

Hi Somesoni2,

No.
:(

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you post some sample raw data?

0 Karma

dfigurello
Communicator

Sure.

loc=17389746|time=29Oct2014 16:28:39|action=allowed|orig=172.20.1.1|i/f_dir=inbound|i/f_name=eth3|has_accounting=0|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={000000E0-003F-0046-93C9-1F533951F91E};mgmt=gerfw;date=1414530153;policy_name=example1]|inzone=Internal|outzone=External|service_id=http|src=172.20.1.1|s_port=58077|dst=173.xxx.yyy.57|service=80|proto=tcp|xlatesrc=172.20.1.xx|xlatesport=29365|xlatedport=0|NAT_rulenum=267|NAT_addtnl_rulenum=1|rule=781

Cheers!

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...