Splunk Search
Highlighted

Why isn't this regex working on /var/log?

Contributor

Hi,

I'm using a Single Instance of Splunk 6.6.2 and I've tried filtering some events of my log using the code below, but the filter doesn't work. I put this argument "[\dbus]" into regex because I don't want this to be indexed. What's wrong with this?

inputs.conf:

[source::/var/log/messages]
disabled = 0
index = main
sourcetype = my_sourcetype

props.conf:

[my_sourcetype]
TRANSFORMS-null = setnull

transforms.conf:

[setnull]
REGEX = \[dbus\]
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Highlighted

Re: Why isn't this regex working on /var/log?

Path Finder

The inputs stanza should be

[monitor:///var/log/messages]

Are there any internal errors you see when you search "index=_internal"?

Highlighted

Re: Why isn't this regex working on /var/log?

Contributor

As a fact @nileena. In my environment I put the stanza like as below. In the internal index don't have any error that contains references to this.

[monitor:///var/log/messages]
disabled = false
index = main
sourcetype = my_sourcetype

0 Karma
Highlighted

Re: Why isn't this regex working on /var/log?

SplunkTrust
SplunkTrust

Just to verify - each key word is on a line by itself, true?

  [setnull] 
  REGEX = \[dbus\] 
  DEST_KEY = queue 
  FORMAT = nullQueue
Highlighted

Re: Why isn't this regex working on /var/log?

Contributor

Each key is on a your line. The code style of answers that put all into a single line @DalJeanis.

0 Karma
Highlighted

Re: Why isn't this regex working on /var/log?

SplunkTrust
SplunkTrust

Can you share some sample raw data that you want to drop? (mask any sensitive information)

Highlighted

Re: Why isn't this regex working on /var/log?

Contributor

Sure @somesoni2.

Nov 28 18:02:53 localhost dbus-daemon: dbus[409]: [system] Successfully activated service 'org.freedesktop.nmdispatcher'
Nov 28 18:02:53 localhost dbus-daemon: dbus[809]: [system] Successfully activated service 'org.freedesktop.nm
dispatcher'
Nov 28 18:02:53 localhost dbus-daemon: dbus[981]: [system] Successfully activated service 'org.freedesktop.nmdispatcher'Nov 28 18:02:53 localhost dbus-daemon: dbus[604]: [system] Successfully activated service 'org.freedesktop.nmdispatcher'
Nov 28 18:02:53 localhost dbus[605]: [system] Successfully activated service 'org.freedesktop.nmdispatcher'
Nov 28 18:02:53 localhost dbus[600]: [system] Activating via systemd: service name='org.freedesktop.nm
dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'

0 Karma
Highlighted

Re: Why isn't this regex working on /var/log?

SplunkTrust
SplunkTrust

So you want to drop any event which has word dbus? Or is it dbus[? If that's the case, your REGEX in your transforms.conf should be this REGEX = dbus OR REGEX = dbus\[ for second case.

The current value of REGEX = \[dbus\] actually looks for literal string [dbus] in the events, which I don't see in your sample data, hence it didn't work.

Highlighted

Re: Why isn't this regex working on /var/log?

Contributor

Is exactly what I want to do. Drop all events with dbus and store the events that not have this parameter. I'll test your sample and go back here.

0 Karma
Highlighted

Re: Why isn't this regex working on /var/log?

Esteemed Legend

I suspect that you are copying too literally from the example docs here:
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

The example there shows this:

[setnull]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = nullQueue

But that is because it is trying to match the EXACT string [sshd]. You are probably trying to match the exact string dbus so you should use this:

REGEX = dbus