Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex for nullQueue, conditional regex. Can someone figure it out?

adamsmith47
Communicator
‎02-24-2017 05:53 AM

Hello all,

I'm not sure this is doable with nullQueue in transforms to filter out events of this form, hopefully someone can crack it. For simplicity I will be using mock place holders instead of my actual events and regex.

So, my events may include two unique strings of text, which I'm capable of matching with {MyRegexA} and {MyRegexB}. There are only 3 possible event types which will be read:

1) "blah blah blah" {MyRegexA} "blah blah blah" {MyRegexB} "blah blah blah"
2) "blah blah blah blah blah blah blah blah blah" {MyRegexB} "blah blah blah"
3) "blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah"

Sorry for the crudeness of examples, but the real events are quite large (hundreds of lines), and {MyRegexA} {MyRegexB} are also quite long.

I'm looking for a nullQueue regex which will discard ONLY event type #2, namely, where there is a match for {MyRegexB} but no match for {MyRegexA} prior in the event.

I was thinking a negative lookbehind of the form

(?<!{MyRegexA}){MyRegexB}

would do it, but that actually matches both #1 and #2. At least on my test site, www.regexr.com

Any advice?

0 Karma
Reply

paulstout
Path Finder
‎02-24-2017 08:32 AM

Would it be possible to assign a different sourcetype to events matching MyRegexA and MyRegexB? Example:

Let:

SourcetypeA = the incoming sourcetype
SourcetypeB = the new sourcetype that we do not want to discard

props.conf

[sourcetypeA]
TRANSFORMS-checkAB=checkAB, discardB

transforms.conf

[checkAB]
REGEX = YOUR_A_AND_B_REGEX
DEST_KEY = MetaData:Sourcetype
FORMAT = SourcetypeB

[discardB]
REGEX = YOUR_B_REGEX
DEST_KEY = queue
FORMAT=nullQueue

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...