How to write the regex in transforms.conf to filte...

skenkz · ‎03-25-2015

Hello,
i need to implement a regex to filter contents of logs of vmware infrastructure.

The only logs I want to receive and index in Splunk will have to be:

Mar 25 10:36:45 172.20.1.9 2015-03-25T09:36:31.014Z IBM-ESXi-5.aditinet.local Hostd: [FFB37920 info 'Vimsvc.ha-eventmgr' opID=B6CBCB83-00000031 user=DOMAIN\test.test] Event 2459 : User DOMAIN\test.test@172.31.255.45 logged out (login time: Wednesday, 25 March, 2015 09:35:59, number of API invocations: 0, user agent: VMware VI Client/4.0.0)

I want to filter only word: "login time".

These are my props.conf and transform.conf located in path /opt/splunk/etc/system/local:

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setparsing

File transforms.conf

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue

I tested it, but doesn't work.

Please, could someone help me to build the correct regex?

Thanks in advance.

somesoni2 · ‎03-25-2015

Try this (both the configuration files on Indexer/Heavyforwarder)

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setnull,setparsing

File transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue

How to write the regex in transforms.conf to filter and only index logs with "login time"?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

How to write the regex in transforms.conf to filter and only index logs with "login time"?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions