Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- REGEX transforms.conf help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I have this log:
013db64db1d4,250993102139,62f0cffe,3fad,fbc3,7f08ff01
013db64db1cd,250027013354,_,3fde,fd9e,_
013db64db1ae,@,95800970,3fad,fbb1,82e01bbc
013db64db1cd,250993231395,78e0f35c,df5a,8b71,63a0d3d4
013db64db106,@,9910a7a2,3fde,890d,8320b744
I want to ignore events with @ on second position in every event on this log. What REGEX should I write in a file transforms.conf for nullQueue filtering?
Instead of the symbol @ to be read symbol _
The _ in the code for some reason does not appear.
Sorry, I new in regular expression, unfortunately.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Instead of the symbol @ to be read symbol _"
Does this mean that you would like to send all events matching "_" (underscore) in the second position to the nullQueue?
In that case your transform/regex should be;
REGEX = ^\w+,_,
DEST_KEY = queue
FORMAT = nullQueue
Of course you could be even more specific, if you only want this nullqueueing to happen when the first position is a 12-characer hex string;
REGEX = ^[a-fA-F0-9]{12},_,
or less specific, if the first position can contain anything (apart from a comma);
REGEX = ^[^,]+,_,
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Instead of the symbol @ to be read symbol _"
Does this mean that you would like to send all events matching "_" (underscore) in the second position to the nullQueue?
In that case your transform/regex should be;
REGEX = ^\w+,_,
DEST_KEY = queue
FORMAT = nullQueue
Of course you could be even more specific, if you only want this nullqueueing to happen when the first position is a 12-characer hex string;
REGEX = ^[a-fA-F0-9]{12},_,
or less specific, if the first position can contain anything (apart from a comma);
REGEX = ^[^,]+,_,
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, and it seems like your events have hex timestamps, does Splunk treat that gracefully?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, Kristian!
This is just what I needed!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
