Splunk Search

Using regex to drop specific events

Path Finder

i have an event that looks like this

03/01/2012 03:05:43 PM
LogName=Security
SourceName=Security
EventCode=562
EventType=8
Type=Success Audit
ComputerName=GLSSQLINT
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=3
CategoryString=Object Access
RecordNumber=250015
Message=Handle Closed:

Object Server:  Security

Handle ID:  940

Process ID: 1288

Image File Name:    C:\Program Files\ISS\Proventia Server\phService.exe

I want these messages to be dropped if both type=success audit AND CategoryString=Object Access, however when i create the regex to do this which i think is supposed to be
(?m)(?=.*Type=Success Audit)(?=.*CategoryString=Object Access)
it doesn't seem to work. What am I doing wrong?

0 Karma

Path Finder

ultimately this worked.

(?ms)(?=Success\sAudit)(?=.*CategoryString=Object\sAccess)

0 Karma

Legend

Good catch. You definitely needed the (?ms) not just the (?m)

0 Karma

Legend

I think that the following would do it. Not sure why you are using lookahead - it isn't needed here.

(?m)Type=Success Audit.*CategoryString=Object Access

Path Finder

I tried this and it did not work.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!