Splunk Search

How to write the regex in transforms.conf to filter and only index logs with "login time"?

skenkz
New Member

Hello,
i need to implement a regex to filter contents of logs of vmware infrastructure.

The only logs I want to receive and index in Splunk will have to be:

Mar 25 10:36:45 172.20.1.9 2015-03-25T09:36:31.014Z IBM-ESXi-5.aditinet.local Hostd: [FFB37920 info 'Vimsvc.ha-eventmgr' opID=B6CBCB83-00000031 user=DOMAIN\test.test] Event 2459 : User DOMAIN\test.test@172.31.255.45 logged out (login time: Wednesday, 25 March, 2015 09:35:59, number of API invocations: 0, user agent: VMware VI Client/4.0.0)

I want to filter only word: "login time".

These are my props.conf and transform.conf located in path /opt/splunk/etc/system/local:

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setparsing

File transforms.conf

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue

I tested it, but doesn't work.

Please, could someone help me to build the correct regex?

Thanks in advance.

0 Karma

somesoni2
Revered Legend

Try this (both the configuration files on Indexer/Heavyforwarder)

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setnull,setparsing

File transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...