Splunk Search
Highlighted

This AND That regex in transforms.conf?

Path Finder

How can I filter events based on two things being true in transforms.conf?

Specifically, let's say that I want to filter out Windows event log entries where EventCode=1234 AND Keywords="Audit Success". The goal is that EventCode=1234 and Keywords="Audit Failure" will still be indexed.

Is this just a simple regex problem? And how can I test the regex? I tried playing with regexes from answers to similar problems using searches and regex _raw=, but did not see the behavior I expected.

Any pointers or help appreciated. Including the authoritative manual for Splunk regexes; I see that PCRE is used for things like serverclass.conf but the transforms.conf regexes don't look like PCRE.

Tags (2)
0 Karma
Highlighted

Re: This AND That regex in transforms.conf?

Splunk Employee
Splunk Employee

Is there a reason you don't want them indexed? You could certainly search for that set of terms....

0 Karma
Highlighted

Re: This AND That regex in transforms.conf?

Path Finder

The volume is prohibitive. For some event types 'success', Windows logs every three shakes of a lambs tail, and suddenly you've picked up several gigabytes worth of logs with questionable usefulness.

0 Karma
Highlighted

Re: This AND That regex in transforms.conf?

Splunk Employee
Splunk Employee

The regexes are PCRE in transforms.conf.

If you want to catch two items, you just need a regex that only matches the event when both are true, e.g., like EventCode=1234.+?Keywords=\"Audit Failure\" or whatever is appropriate for the data.

Highlighted

Re: This AND That regex in transforms.conf?

Path Finder

I am unable to verify this using regex _raw, perhaps because regex _raw seems not to like the (m?) multiline flag and this is a multiline match. Is there a better way to test these regexes than updating transforms.conf and bouncing the Splunk server? Am I missing magic that will make regex _raw behave the same way transforms does?