Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use regex in eventtypes.conf

lakromani
Builder
‎11-09-2015 04:51 AM

I have data in following formats:

Nov 04 21:47:59 server1 gtu[22038]: 2833CA0D c   (master)   1A 0B 81 2D 5F 66 36 A7 DC F3 60 B0 
Nov 04 21:47:59 server1 gtu[22038]: 2833CA0D c   (master)   02 6D A0 3C B1 B3 59 CD EC BC CB 7B 55 65 85 CA 
Nov 04 21:47:59 server1 gtu[22038]: 2833CA0D c   (master)   82 70 29 01 02 06 02 BE 04 A5 FB 6C 1F 90 1D 40 
Nov 04 21:47:58 server1 gtu[22038]: 2833CA0D c   (master)   7E A0 51 E5 B2 CA

I need to set this as one eventtype.
Number of data field can go from 2 to 16.
With normal search, I can use this format:

* | regex _raw="gtu.* \(master\)\s+\w\w\s+\w\w"

But in eventypes.conf this does not work.

[gtu-master-data]
search = regex _raw="gtu.* \(master\)\s+\w\w\s+\w\w"

Does regex not work in *eventypes.conf

Tags (2)
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-09-2015 11:44 AM

For any search, you can look at the job inspector (Job > Inspect Job) and find the row "canBeEventType" which will be set to either 0 (cannot) or 1 (can).

Reply

woodcock
Esteemed Legend
‎11-09-2015 08:46 AM

You need to create a field-extraction that qualifies/classifies the events (like number_of_bytes) and then create an eventtype based on that (like number_of_bytes = 2).

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-09-2015 06:59 AM

Pipes, and other non-streaming commands are not allowed in event types. The search definition must contain only the basics of a simple search - no pipes, no transactions, not regex, nothing other than the "base search" that will match your event type.

So your eventtype in this case will be the following, since this will only include things that match the search definition.

eventtypes.conf

[gtu-master-data]
 search = gtu master master_hex=*

props.conf

 [your_sourcetype]
 EXTRACT-hex_values = gtu\[(?<process_pid>[^\]]+)\]:[^\(]+\(master\)\s+(?<master_hex>(?:[a-fA-F0-9\s]{2})+)

UPDATE: so this should work, but I haven't tested it. Basically, in the props.conf you specify the Extraction for "Master Hex" values, (call it what you want), that matches the formation of hex values. Then you use the event type to limit those events that have any value of master hex.

http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Abouteventtypes
Here's the restriction documentation (from below comment) http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/defineeventtypes#Important_event_type_de...

Reply

lakromani
Builder
‎11-09-2015 08:36 AM

Problem is that doing this will hit lots of other stuff, that is already to tagged.
So I need to differentiate this data from other stuff.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2015 07:39 AM

@alacercogitatus; I did read that link before I posted my comment and you will note that the documentation does not mention this limitation (which I was pretty sure existed, since that was always how I wrote them). The documentation definitely needs an update to call this out.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-09-2015 08:44 AM

The documentation in the Knowledge Manager Manual does have the restrictions in place. I agree, the spec should be updated to include the specific line.

 You cannot base an event type on a search that includes a pipe operator or a subsearch .

  In addition, you cannot base an event type on a search that references a report. For example, if you have a report with the name failed_login_search, you can't create an event type that is defined by savedsearch=failed_login_search. In a case like this you should always give the event type the same search string as the report.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/defineeventtypes#Important_event_type_de...

Reply

clorne
Communicator
‎11-09-2015 05:51 AM

Hello,
There is some examples in this post that may help you:
https://answers.splunk.com/answers/293531/how-to-write-the-regex-for-transformsconf-to-extra.html

Regards

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...