Splunk Search

REGEX to discard specific event containing " Allow " but not them followad by 2 specific strings ?



i need to find the REGEX to allow me to filter what splunk will index.

As it is firewall Logs, it gererates too much volume, so i want to remove events containing the following pattern :

" Allow " (except if there is "ProxyStrip" or "ProxyDeny" somewhere after in the line)

example :

Would match :
Sep 30 16:43:07 host=firewall-01 program=XXX0292D4BCD PID= facility=local1 level=info : firewall-01 http-proxy[3949]: Allow 3-LAN 2-EXTERNAL tcp 192.168.XXX.2 37.XXX.XXX.66 62745 80 msg="ProxyAllow: HTTP Header content type match" proxy_act="HTTP-Client.WebBlocker" rule_name="image/*" content_type="image/gif" (Out_Users_HTTP-rule)

Would not match :

Sep 30 16:43:07 host=firewall-01 program=XXX0292D4BCD PID= facility=local1 level=info : firewall-01 http-proxy[3949]: Allow 3-LAN 2-EXTERNAL tcp 192.168.XXX.2 37.XXX.XXX.66 62745 80 msg="ProxyStrip: HTTP Header content type match" proxy_act="HTTP-Client.WebBlocker" rule_name="image/*" content_type="image/gif" (Out_Users_HTTP-rule)

Sep 30 16:43:07 host=firewall-01 program=XXX0292D4BCD PID= facility=local1 level=info : firewall-01 http-proxy[3949]: Allow 3-LAN 2-EXTERNAL tcp 192.168.XXX.2 37.XXX.XXX.66 62745 80 msg="ProxyDeny: HTTP Header content type match" proxyact="HTTP-Client.WebBlocker" rulename="image/*" contenttype="image/gif" (OutUsers_HTTP-rule)

Any idea ?

Thanks for your help


Tags (1)
0 Karma


try this as REGEX for the nullQueue:


or if you also want to include the ' msg="' part:

0 Karma


i want to index only "Deny" + "Allow" (for "Allow" : only if followed by ProxyStrip or ProxyDeny only).

0 Karma


This is confusing.

You want to filter out if the regex matches.

So what you're saying is you want lines line Allow ProxyStrip and Allow ProxyDeny to be indexed, but ProxyAllow to be discarded ?


In transforms.conf (local one) :

DEST_KEY = queue
FORMAT = nullQueue

REGEX = Deny
DEST_KEY = queue
FORMAT = indexQueue

REGEX = Allow.(?=ProxyDeny|ProxyStrip)|^(?:(?!Allow).)$
DEST_KEY = queue
FORMAT = nullQueue

In props.conf (local one) :

TRANSFORMS-noallow= setnoallow

TRANSFORMS-noallow= setnoallow

0 Karma


Match "Allow followed by ProxyDeny or ProxyStrip" or "Any line without Allow"

Test :

| stats count 
| eval msg="Allow skldfjlksdjflksdjflksjdf ProxyDeny,Allow skldfjlksdjflksdjflksjdf ProxyAccept,Deny zasdfasdfsdf sdfsdfsdfsdfs"
| fields msg
| makemv delim="," msg
| mvexpand msg
| eval match=if(match(msg,"Allow.*(?=ProxyDeny|ProxyStrip)|^(?:(?!Allow).)*$"),1,0)
0 Karma


You probably want to send to the parsingQueue, not the indexQueue too

0 Karma


Thats because you're sending the lines that match this to the nullQueue, and sending all the stuff that doesn't match to the real queue.

You need to do

TRANSFORMS-noallow= setnull,setnoallow

and have

REGEX = regex_goes here
DEST_KEY = queue
FORMAT = parsingQueue
0 Karma


I still see Allow lines without ProxyDeny or ProxyStrip in the same line when i run a search in the index for last few minutes after restarting splunk.

Maybe did i made a mistake in the way i use transforms.conf ?

0 Karma


ok, i think i got it :


0 Karma

Super Champion

Your regex seems to work fine in my tester. Are you seeing success in the search string, but not in your index?

0 Karma


Oh no, it still indexes all the "Allow" lines !

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...