Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to exclude sending logs to heavy forwarder which ends with a specific string using transforms.conf in cluster master?

pavanae
Builder
‎08-28-2019 09:09 AM

The following are my transforms.conf and props.conf in my cluster master

transforms.conf

 [send_to_heavyforwarder]
     SOURCE_KEY = _meta
    REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) 
    DEST_KEY = _TCP_ROUTING
    FORMAT = heavyforwarder_output

props.conf

[default]
TRANSFORMS-heavyforwarder= send_to_heavyforwarder

Which is used to send the logs to a heavy forwarder for only the fields in regex condition specified in transforms.conf matched which is below 

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))

Now I need to send one more id (whose field value is ABC-3) to the heavyforwarder but instead of sending the whole logs to heavyforwarder I need to exclude sending logs to heavyforwarder when an username field ends with string "TEST". For that I have modified my regex in transforms.conf as below 

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) | (logtype::SAT.*id::ABC-3.*username!::[a-zA-Z]{2,3}-+.*?-TEST)

Could anyone verify the above regex and confirm me if I used the right condition to satify the requirement. If not, what could be the proper REGEX syntax to be applied for my transforms.conf.

Any help could be great.

Note :- username is also a meta data field.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2019 09:54 AM

Try this (using negative-lookahead😞

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))

See here for validation:
https://regex101.com/r/Vehygk/1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2019 09:54 AM

Try this (using negative-lookahead😞

REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))

See here for validation:
https://regex101.com/r/Vehygk/1

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-28-2019 11:21 AM

If you need to validate your regex try using www.regex101.com
You can post you expression and some logs and you get to see what is captured

Hope this helps

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎08-28-2019 11:27 AM

I am good with the Regex. I have tested it and it worked. I'm trying to see if my syntax under the transforms.conf is correct especially I need to use a not operator and so for that I have used "!". Wanted to check if that's the correct syntax format. @diogofgm

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...