Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- REGEX transforms.conf, NOT operator
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
REGEX transforms.conf, NOT operator
Hi Splunkers
I'm new to splunk and currently playing around with the heavy forwarder. I found here several examples how to match a specific string in an event and only forward that event to the indexer. However, I could not find the opposite.
Here is what I would like to do.
Let's say in /var/log/messages we have those two log entries:
May 7 08:00:14 <host> <user>: Splunk, get that line!
May 7 08:01:45 <host> <user>: Splunk, miss that line!
My props.conf contains:
[source::/var/log/messages]
TRANSFORMS-set=setnull,ignore
My transforms.conf contains:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[ignore]
REGEX = !miss
DEST_KEY = queue
FORMAT = indexQueue
I have tryed several regex for the NOT miss part. So far I have not found any solution. Again, my goal is not to match the first line. I know how that is done. I want to match everything except something with a key word. At the end I should be able to exclude known events and always receive on my indexer what is wanted or sofar unknown.
Thank you for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Kristian
Thank you for your reply. I figured out where my failure was in the configuration. Your post helped me a lot!
I just post shortly my solution:
The props.conf remains almost the same as above:
[source::/var/log/messages]
TRANSFORMS-set=ignore
The transforms.conf changed the most and is now shorter:
[ignore]
REGEX = miss
DEST_KEY = queue
FORMAT = nullQueue
By sending the event matching the REGEX to the nullQueue, the event is not forwarded to the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at the docs?
If you have a known event that you do NOT want, you can use a matching REGEX to send that event to the nullQueue. The rest are automatically sent to the parsingQueue.
If you want to only keep a known set of events, you do as you did above, i.e. set the queue to nullQueue for all events, and then overwrite that with parsingQueue for the events you wish to keep.
UPDATE:
Saw that you send the events to indexQueue. You might be right but you probably want the parsingQueue.
Hope this helps,
Kristian
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
