Re: Using regex to drop specific events

rdevine · ‎03-01-2012

i have an event that looks like this

03/01/2012 03:05:43 PM LogName=Security SourceName=Security EventCode=562 EventType=8 Type=Success Audit ComputerName=GLSSQLINT User=SYSTEM Sid=S-1-5-18 SidType=1 Category=3 CategoryString=Object Access RecordNumber=250015 Message=Handle Closed:

Object Server:  Security

Handle ID:  940

Process ID: 1288

Image File Name:    C:\Program Files\ISS\Proventia Server\phService.exe

I want these messages to be dropped if both type=success audit AND CategoryString=Object Access, however when i create the regex to do this which i think is supposed to be
(?m)(?=.*Type=Success Audit)(?=.*CategoryString=Object Access)
it doesn't seem to work. What am I doing wrong?

rdevine · ‎03-02-2012

ultimately this worked.

(?ms)(?=Success\sAudit)(?=.*CategoryString=Object\sAccess)

lguinn2 · ‎03-02-2012

Good catch. You definitely needed the (?ms) not just the (?m)

lguinn2 · ‎03-01-2012

I think that the following would do it. Not sure why you are using lookahead - it isn't needed here.

(?m)Type=Success Audit.*CategoryString=Object Access

rdevine · ‎03-02-2012

I tried this and it did not work.

Using regex to drop specific events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation