Splunk Search

How to specify a phrase to filter out

a212830
Champion

Hi,

I want to filter out events that have a specific phrase in them. The phrase is "FIP VLAN" (which could be anywhere in the event). Looking at this example, how would the regex be setup?

[setnull]
REGEX = [sshd]
DEST_KEY = queue
FORMAT = nullQueue

REGEX = \"FIP VLAN\" ?

Tags (2)
0 Karma
1 Solution

Jon_Webster
Splunk Employee
Splunk Employee

If your data actually includes the double quotes character (") then that should work. If the data does not, then it won't.
REGEX=\"FIP VLAN\" will match "FIP VLAN". Note the quotes actually exist in your data, and there is a single invisible space between the words.
REGEX=FIP VLAN will match FIP VLAN. Note there are no quotes in the data, and there is a single space between the words.
REGEX=\"FIP\sVLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s" char requires exactly one whitespace between the words, which can be a space, tab, or linebreak. This is better if you're certain there is only one space, for example you don't want to filter out "FIP VLAN" (two spaces between).
REGEX=\"FIP\s+VLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s+" char requires one or more spaces between the words. This is better if you're not certain how many spaces there could be.
REGEX=\s+FIP\s+VLAN\s+ This will filter out (space)FIP(space)VLAN(space). This is better if you want to be sure NOT to filter out phrases like: FIP VLAN2, or TFIP VLAN

There are lots of easy regex testers online, and free tools to download.

View solution in original post

Jon_Webster
Splunk Employee
Splunk Employee

If your data actually includes the double quotes character (") then that should work. If the data does not, then it won't.
REGEX=\"FIP VLAN\" will match "FIP VLAN". Note the quotes actually exist in your data, and there is a single invisible space between the words.
REGEX=FIP VLAN will match FIP VLAN. Note there are no quotes in the data, and there is a single space between the words.
REGEX=\"FIP\sVLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s" char requires exactly one whitespace between the words, which can be a space, tab, or linebreak. This is better if you're certain there is only one space, for example you don't want to filter out "FIP VLAN" (two spaces between).
REGEX=\"FIP\s+VLAN\" will match "FIP VLAN". Note there is a single space between the words. The "\s+" char requires one or more spaces between the words. This is better if you're not certain how many spaces there could be.
REGEX=\s+FIP\s+VLAN\s+ This will filter out (space)FIP(space)VLAN(space). This is better if you want to be sure NOT to filter out phrases like: FIP VLAN2, or TFIP VLAN

There are lots of easy regex testers online, and free tools to download.

a212830
Champion

Thanks. My question was mainly around extracting it within the event - so will all of those work regardless of where the text is within the event? I assumed that some regex statement would be required to handle that part.

0 Karma

Jon_Webster
Splunk Employee
Splunk Employee

It gets a bit more complicated if you want to ensure it will work at the beginning or end of an event or line, and at the same time you want to ensure it will discriminate pre/postfixes. FIP\s+VLAN will work at the begin/end of a line, and anywhere in the middle, but will also filter out xyzFIPS VLANxyz.
If you want to get fancy look up start & end line chars, and create pre & postfix groups of multiple optional chars.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...