Splunk Search

how to exclude sending logs to heavy forwarder which ends with a specific string using transforms.conf in cluster master?

Builder

The following are my transforms.conf and props.conf in my cluster master

transforms.conf

 [send_to_heavyforwarder]
     SOURCE_KEY = _meta
    REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) 
    DEST_KEY = _TCP_ROUTING
    FORMAT = heavyforwarder_output

props.conf

[default]
TRANSFORMS-heavyforwarder= send_to_heavyforwarder

Which is used to send the logs to a heavy forwarder for only the fields in regex condition specified in transforms.conf matched which is below

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) 

Now I need to send one more id (whose field value is ABC-3) to the heavyforwarder but instead of sending the whole logs to heavyforwarder I need to exclude sending logs to heavyforwarder when an username field ends with string "TEST". For that I have modified my regex in transforms.conf as below

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) | (logtype::SAT.*id::ABC-3.*username!::[a-zA-Z]{2,3}-+.*?-TEST)

Could anyone verify the above regex and confirm me if I used the right condition to satify the requirement. If not, what could be the proper REGEX syntax to be applied for my transforms.conf.

Any help could be great.

Note :- username is also a meta data field.

0 Karma
1 Solution

Esteemed Legend

Try this (using negative-lookahead😞

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))

See here for validation:
https://regex101.com/r/Vehygk/1

View solution in original post

0 Karma

Esteemed Legend

Try this (using negative-lookahead😞

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))

See here for validation:
https://regex101.com/r/Vehygk/1

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If you need to validate your regex try using www.regex101.com
You can post you expression and some logs and you get to see what is captured

Hope this helps

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

Builder

I am good with the Regex. I have tested it and it worked. I'm trying to see if my syntax under the transforms.conf is correct especially I need to use a not operator and so for that I have used "!". Wanted to check if that's the correct syntax format. @diogofgm

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!