Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex for source AND Type

schnibitz
New Member
‎07-24-2013 08:57 AM

Hi everyone, Been trying to get regex syntax to behave. What I have below works. It only shows events that are from the source "EMET".

props.conf

[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminull,wmiparse

transforms.conf

[wmiparse]
REGEX=(?m)^SourceName=(EMET)
DEST_KEY=queue
FORMAT=indexQueue

I'm trying to get it to find EMET source events that are also Error logs.

props.conf

[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminull,wmiparse

transforms.conf

[wmiparse]
REGEX=(?m)^SourceName=(EMET).*^Type=Error
DEST_KEY=queue
FORMAT=indexQueue

But that doesn't seem to work. Any ideas?

Thanks,
-S

Tags (1)
0 Karma
Reply

samjack
New Member
‎07-27-2013 07:46 AM

I would use eventtyping for which events are errors.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...