How to write the regex in transforms.conf to filte...

skenkz · ‎03-25-2015

Hello,
i need to implement a regex to filter contents of logs of vmware infrastructure.

The only logs I want to receive and index in Splunk will have to be:

Mar 25 10:36:45 172.20.1.9 2015-03-25T09:36:31.014Z IBM-ESXi-5.aditinet.local Hostd: [FFB37920 info 'Vimsvc.ha-eventmgr' opID=B6CBCB83-00000031 user=DOMAIN\test.test] Event 2459 : User DOMAIN\test.test@172.31.255.45 logged out (login time: Wednesday, 25 March, 2015 09:35:59, number of API invocations: 0, user agent: VMware VI Client/4.0.0)

I want to filter only word: "login time".

These are my props.conf and transform.conf located in path /opt/splunk/etc/system/local:

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setparsing

File transforms.conf

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue

I tested it, but doesn't work.

Please, could someone help me to build the correct regex?

Thanks in advance.

somesoni2 · ‎03-25-2015

Try this (both the configuration files on Indexer/Heavyforwarder)

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setnull,setparsing

File transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue

How to write the regex in transforms.conf to filter and only index logs with "login time"?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to write the regex in transforms.conf to filter and only index logs with "login time"?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!