Solved: Re: How to specify a phrase to filter out

a212830 · ‎03-17-2016

Hi,

I want to filter out events that have a specific phrase in them. The phrase is "FIP VLAN" (which could be anywhere in the event). Looking at this example, how would the regex be setup?

[setnull]
REGEX = [sshd]
DEST_KEY = queue
FORMAT = nullQueue

REGEX = \"FIP VLAN\" ?

Jon_Webster · ‎03-17-2016

If your data actually includes the double quotes character (") then that should work. If the data does not, then it won't.
REGEX=\"FIP VLAN\" will match "FIP VLAN". Note the quotes actually exist in your data, and there is a single invisible space between the words.
REGEX=FIP VLAN will match FIP VLAN. Note there are no quotes in the data, and there is a single space between the words.
REGEX=\"FIP\sVLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s" char requires exactly one whitespace between the words, which can be a space, tab, or linebreak. This is better if you're certain there is only one space, for example you don't want to filter out "FIP VLAN" (two spaces between).
REGEX=\"FIP\s+VLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s+" char requires one or more spaces between the words. This is better if you're not certain how many spaces there could be.
REGEX=\s+FIP\s+VLAN\s+ This will filter out (space)FIP(space)VLAN(space). This is better if you want to be sure NOT to filter out phrases like: FIP VLAN2, or TFIP VLAN

There are lots of easy regex testers online, and free tools to download.

View solution in original post

Jon_Webster · ‎03-17-2016

If your data actually includes the double quotes character (") then that should work. If the data does not, then it won't.
REGEX=\"FIP VLAN\" will match "FIP VLAN". Note the quotes actually exist in your data, and there is a single invisible space between the words.
REGEX=FIP VLAN will match FIP VLAN. Note there are no quotes in the data, and there is a single space between the words.
REGEX=\"FIP\sVLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s" char requires exactly one whitespace between the words, which can be a space, tab, or linebreak. This is better if you're certain there is only one space, for example you don't want to filter out "FIP VLAN" (two spaces between).
REGEX=\"FIP\s+VLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s+" char requires one or more spaces between the words. This is better if you're not certain how many spaces there could be.
REGEX=\s+FIP\s+VLAN\s+ This will filter out (space)FIP(space)VLAN(space). This is better if you want to be sure NOT to filter out phrases like: FIP VLAN2, or TFIP VLAN

There are lots of easy regex testers online, and free tools to download.

a212830 · ‎03-18-2016

Thanks. My question was mainly around extracting it within the event - so will all of those work regardless of where the text is within the event? I assumed that some regex statement would be required to handle that part.

Jon_Webster · ‎03-18-2016

It gets a bit more complicated if you want to ensure it will work at the beginning or end of an event or line, and at the same time you want to ensure it will discriminate pre/postfixes. FIP\s+VLAN will work at the begin/end of a line, and anywhere in the middle, but will also filter out xyzFIPS VLANxyz.
If you want to get fancy look up start & end line chars, and create pre & postfix groups of multiple optional chars.

How to specify a phrase to filter out

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)