Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using regex to drop specific events

rdevine
Path Finder
‎03-01-2012 02:40 PM

i have an event that looks like this

03/01/2012 03:05:43 PM
LogName=Security
SourceName=Security
EventCode=562
EventType=8
Type=Success Audit
ComputerName=GLSSQLINT
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=3
CategoryString=Object Access
RecordNumber=250015
Message=Handle Closed:

Object Server:  Security

Handle ID:  940

Process ID: 1288

Image File Name:    C:\Program Files\ISS\Proventia Server\phService.exe

I want these messages to be dropped if both type=success audit AND CategoryString=Object Access, however when i create the regex to do this which i think is supposed to be
(?m)(?=.*Type=Success Audit)(?=.*CategoryString=Object Access)
it doesn't seem to work. What am I doing wrong?

0 Karma
Reply

rdevine
Path Finder
‎03-02-2012 07:22 AM

ultimately this worked.

(?ms)(?=Success\sAudit)(?=.*CategoryString=Object\sAccess)

0 Karma
Reply

lguinn2
Legend
‎03-02-2012 02:56 PM

Good catch. You definitely needed the (?ms) not just the (?m)

0 Karma
Reply

lguinn2
Legend
‎03-01-2012 06:24 PM

I think that the following would do it. Not sure why you are using lookahead - it isn't needed here.

(?m)Type=Success Audit.*CategoryString=Object Access
Reply

rdevine
Path Finder
‎03-02-2012 08:45 AM

I tried this and it did not work.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...