Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex is kicking my butt

cdupuis123
Path Finder
‎06-11-2013 04:11 AM

So I'm attempting to drop events from the windows security logs at the indexer so I've created a props.conf that is this:


[source::WinEventLog:Security]
TRANSFORMS-set=setnull, setparsing

and my transforms.conf is:

Exclude windows events

[WinEventLog:Security]
REGEX = (?m) EventCode=(5156).
DEST_KEY = queue
FORMAT = nullQueue

So I'm a Splunk newbie and have struggled/searched/restarted my test instance countless times with still no success. These conf files are in the /opt/splunk/etc/system/local/ and I've yet to even get one event to hit the null queue??? Help!!! thanks in advance

Tags (1)
0 Karma
Reply

cdupuis123
Path Finder
‎07-11-2013 08:49 AM

Any idea why this stopped working? Where do I start troubleshooting?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-11-2013 07:04 AM

Yes. (5125|4267|1337) etc

I don't know if there is a risk that you'll match 5-digit EventCodes by accident, i.e. 1234 could also match 12345 Might want to add \b at the end of your string.

REGEX=(?m)EventCode=(1234|3456|6789)\b

0 Karma
Reply

cdupuis123
Path Finder
‎06-11-2013 05:29 AM

Awesome, thanks Kristian

0 Karma
Reply

cdupuis123
Path Finder
‎06-11-2013 05:10 AM

Awesome, thanks Kristian

Now to add other events I just | them correct?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-11-2013 04:46 AM

The problem lies in how you name/define the transform. In props.conf, you call for two transforms to take place. But these are not found in transforms.conf. Also, for wineventlogs, you do not need to do source:: in props.

And you don't need the setparsing transform either. From the example in the docs, that is used when you want discard all events (to the nullQueue), and then change back to the parsingQueue for those events that match the regex.

Try this instead.

props.conf

[WinEventLog:Security] 
TRANSFORMS-set=setnull

transforms.conf

[setnull] 
REGEX = (?m)EventCode=5156 
DEST_KEY = queue 
FORMAT = nullQueue

Hope this helps,

K

Reply

kristian_kolb
Ultra Champion
‎07-12-2013 05:42 AM

This operation takes place during the parsing phase. So the configuration must be on the first of the following in your chain from source log to indexed data; a Heavy Forwarder or an Indexer. See the following page;

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

No, dropped data does not count towards the license.

0 Karma
Reply

adrianathome
Communicator
‎07-11-2013 05:36 PM

Would this need to go on a indexer or search head in a cluster? Does the dropped data count toward license?

0 Karma
Reply

gfuente
Motivator
‎06-11-2013 04:35 AM

Hello

EDITED:

Follow Kristian answer...

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...