Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REGEX transforms.conf help

ryastrebov
Communicator
‎05-16-2013 02:57 AM

Hello!
I have this log:

 013db64db1d4,250993102139,62f0cffe,3fad,fbc3,7f08ff01
 013db64db1cd,250027013354,_,3fde,fd9e,_
 013db64db1ae,@,95800970,3fad,fbb1,82e01bbc
 013db64db1cd,250993231395,78e0f35c,df5a,8b71,63a0d3d4
 013db64db106,@,9910a7a2,3fde,890d,8320b744

I want to ignore events with @ on second position in every event on this log. What REGEX should I write in a file transforms.conf for nullQueue filtering?
Instead of the symbol @ to be read symbol _
The _ in the code for some reason does not appear.

Sorry, I new in regular expression, unfortunately.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-16-2013 03:32 AM

"Instead of the symbol @ to be read symbol _"

Does this mean that you would like to send all events matching "_" (underscore) in the second position to the nullQueue?

In that case your transform/regex should be;

REGEX = ^\w+,_,
DEST_KEY = queue
FORMAT = nullQueue

Of course you could be even more specific, if you only want this nullqueueing to happen when the first position is a 12-characer hex string;

REGEX = ^[a-fA-F0-9]{12},_,

or less specific, if the first position can contain anything (apart from a comma);

REGEX = ^[^,]+,_,

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-16-2013 03:32 AM

"Instead of the symbol @ to be read symbol _"

Does this mean that you would like to send all events matching "_" (underscore) in the second position to the nullQueue?

In that case your transform/regex should be;

REGEX = ^\w+,_,
DEST_KEY = queue
FORMAT = nullQueue

Of course you could be even more specific, if you only want this nullqueueing to happen when the first position is a 12-characer hex string;

REGEX = ^[a-fA-F0-9]{12},_,

or less specific, if the first position can contain anything (apart from a comma);

REGEX = ^[^,]+,_,

Hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-16-2013 03:38 AM

Oh, and it seems like your events have hex timestamps, does Splunk treat that gracefully?

0 Karma
Reply
Solved! Jump to solution

ryastrebov
Communicator
‎05-16-2013 03:36 AM

Thank you, Kristian!
This is just what I needed!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...