Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use regex to filter out logs?

martaBenedetti
Path Finder
‎07-02-2021 01:16 AM

Hi community,

I have the need to exclude AIX logs containing a certain field value.

This is the regex the parser is using to extract vendor_action filed:

 

^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+(?<pid>\d+)\s+(?<ppid>\d+)\s+(?<user>\S+)\s+(?<process>\S+)\s+(?<vendor_action>\S+)\s+(?<status>\S+)

 

 

I'm trying to exclude events that contain vedor_action=FILE_Unlink and these are my conf file located on Heavy Forwarder:

props.conf

 

[aix:audit]
TRANSFORMS-null= setnull

 

 

transforms.conf

 

[setnull]
REGEX    = ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+\d+\s+\d+\s+\S+\s+\S+\s+FILE_Unlink\s+\S+
DEST_KEY = queue
FORMAT   = nullQueue

 

 

There are sample logs: the first one should be excluded while the second one no:

 

Fri Jul 02 10:01:49 2021 34078844 8520050  dbloader rm                              FILE_Unlink     OK          Not supported                   
        filename /tmp/CSI_ODS_M_SIA__INFO_RILANCIO.txt

Fri Jul 02 10:01:46 2021 34930828 4587668  root     root     lsvg                            FILE_Unlink     OK          
        filename /dev/__pv17.0.34930828

 

 

When I restart spunk all logs are excluded, so I think something is wrong with my REGEX even if on regex101 seems to work fine.

 

Any ideas?

Thanks a lot

Marta

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-02-2021 02:17 AM

The first one has 2 words between the numbers and FILE_Unlink whereas the second one has 3 words - your regex only caters for the first case

0 Karma
Reply

martaBenedetti
Path Finder
‎07-06-2021 08:49 AM

@ITWhisperer Do you have suggestion on how to do so?

That is filter out the first kind of log?

 

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2021 09:17 AM

I can't anything wrong with what you have posted. Which version of splunk are you using?

0 Karma
Reply

martaBenedetti
Path Finder
‎07-07-2021 12:25 AM

@ITWhisperer on HFW there is Splunk Enterprise 7.1.3.

Thought you were thinking about something 🙂

Thanks anyway!!

0 Karma
Reply

martaBenedetti
Path Finder
‎07-02-2021 02:19 AM

@ITWhisperer that's right: the first one should be excluded with nullQueue and the second one should be indexed.

The problem though is that all logs are excluded.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...

Application management with Targeted Application Install for Victoria Experience

Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...