Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex forwarder

mcbradford
Contributor
‎12-14-2011 07:25 AM

I am new to regex - so......

I want to filter out all events that contain the word sendmail

My messages look like the following

type=SYSCALL msg=audit(12/13/2011 05:41:01.898:11192536) : arch=x86_64 syscall=unlink success=yes exit=0 a0=2afe55cbc340 a1=2afe60dea7a6 a2=2afe55cbc352 a3=2afe55cbc340 items=2 ppid=5655 pid=5656 auid=unset uid=root gid=smmsp euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=4294967295 comm=sendmail exe=/usr/sbin/sendmail.sendmail key=(null)

This is what I have in my transforms.conf

[auditdNullsendmail]
# filter auditd, multiline, comm=sendmail
REGEX=(?ms)^comm=sendmail.+exe=/usr/sbin
DEST_KEY=queue
FORMAT=nullQueue

Does this look like it will work?

When I search for sendmail in realtime - I am seeing events come in, but they are from the past (like Splunk is catching up???)

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎12-14-2011 04:11 PM

I don't think this is exactly what you want. Some parts of the regex that you are showing seem unnecessary, and some are wrong... Try this:

REGEX=\scomm=sendmail\s

The other lines appear correct to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...