Regex to log will not contain anything

jrodriguezap · ‎08-21-2013

Hello.
Appreciate your support, in the file transforms.conf REGEX try to make a log of all without "webfilter" and sent to nullQueue.
I tried to do something like this
[discard]
REGEX=!webfilter
DEST_KEY=queue
FORMAT=nullQueue

but it was not, then I tried:
[discard]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[maintain]
REGEX=webfilter
DEST_KEY=queue
FORMAT=indexQueue

But neither worked.
what would be the correct syntax for this case?
Thanks in advance

lukejadamec · ‎08-21-2013

Try this. I'm only guessing at the regex because you have not posted an example of your event.

In Props.conf

[host::10.10.0.5]

TRANSFORMS-FORTIGATE=discard,maintain

In Transforms.conf
[discard]

REGEX=.

DEST_KEY=queue

FORMAT=nullQueue

[maintain]

REGEX=webfilter

DEST_KEY=queue

FORMAT=indexQueue

kristian_kolb · ‎08-21-2013

Then you should add an extra stanza in transforms.conf;

[null_dns_ssl] REGEX = app=\"(DNS|SSL)\" DEST_KEY = queue FORMAT = nullQueue

And call it from props.conf like this (order is important)

TRANSFORMS-FORTIGATE = discard, maintain, null_dns_ssl

/K

jrodriguezap · ‎08-21-2013

Ah ok, if so that's fine, so far I agree with Splunk.
Rather, now that I'm reviewing the result of the filter we did, there are some log that I would not be lost, and are those that do not contain the following: app="DNS" or app="SSL"
I tried to do like this: REGEX=webfilter|app=(?!"DNS|SSL]")
But it is showing me logs with app="DNS" or app="SSL"
I could be wrong?

lukejadamec · ‎08-21-2013

The solution I posted is the documented solution. How about we get it working first, and then optimize.

jrodriguezap · ‎08-21-2013

Hello, thanks. The detail was separated with, aliases: TRANSFORMS-FORTIGATE = discard, Maintain
But tell me, the double REGEX would not do it with less optimal one, and the idea of lguinn? Maybe save some resources, right?

lguinn2 · ‎08-21-2013

I think that the problem was the regular expression. This one is more complicated, but I think it will actually work. The other one was wrong.

In transforms.conf

[discard]
REGEX=(?i)(?!.*?webfilter) 
DEST_KEY=queue
FORMAT=nullQueue

In props.conf

[host::10.10.0.5]
TRANSFORMS-FORTIGATE_discard=discard

Note that in your comment, you have two transforms that start with TRANSFORMS-FORTIGATE and these should be unique. For example TRANSFORMS-FORTIGATE1 and TRANSFORMS-FORTIGATE2. I renamed my stanza above to make sure it was unique.

jrodriguezap · ‎08-21-2013

Hi, thanks for your reply, I find interesting the syntax, but here now this filters all log me, and does not pass any 😞

jrodriguezap · ‎08-21-2013

Hello, you will know what can be the problem?

jrodriguezap · ‎08-21-2013

Hi, I have the following:
[host::10.10.0.5]
TRANSFORMS-FORTIGATE=discard
TRANSFORMS-FORTIGATE=maintain

I just want to keep the log that have "Webfilter"

lukejadamec · ‎08-21-2013

What do you have in the corresponding props.conf?
Also, an example of the event that contains "webfilter" would be handy.

Regex to log will not contain anything

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Join the Conversation

Regex to log will not contain anything

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?