Splunk Search

how to filter the logs when a username field ends with "-TEST"

pavanae
Builder

The following are my transforms.conf and props.conf in my cluster master which are sending all the logs for the below search

logtype=SAT (id="ABC-1" OR id="ABC-2")

transforms.conf

  [send_to_heavyforwarder]
      SOURCE_KEY = _meta
     REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) 
     DEST_KEY = _TCP_ROUTING
     FORMAT = heavyforwarder_output

props.conf

 [default]
 TRANSFORMS-heavyforwarder= send_to_heavyforwarder

Now, I want to filter the events when the below search condition met

logtype=SAT id="ABC-2" username="anything that ends with -TEST"

In order to filter the events that match the above condition how to modify my REGEX in transforms.conf. I think I need to use to something like negative look-back but not sure what could be my new syntax that filters the events when username ends with "-TEST"

Any help would be great.

0 Karma
1 Solution

mayurr98
Super Champion

try this ?

(logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-TEST)

OR

logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-TEST

View solution in original post

0 Karma

mayurr98
Super Champion

try this ?

(logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-TEST)

OR

logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-TEST

0 Karma

pavanae
Builder

Hi @mayurr98 I actually want to exclude any logs which contain "-TEST" at the end of username. The above answer will work if I wanted to include those logs.

I am trying to find the right syntax for excluding those something like nagative look-back's.

0 Karma

mayurr98
Super Champion

try this:

https://regex101.com/r/QhCN5V/1

logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-(?!TEST)

OR

logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-(?!TEST)

0 Karma

pavanae
Builder

Thanks @mayurr98 . It almost worked great but what could be the regex if my username values are as follows

abc-def-ghi
jkl-mno-TEST
agh_123
ghk-TEST

Among the above 4 examples. Now, I just want to filter the username value's that ends with -TEST

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...