×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
moey
New Member
Member since: ‎08-09-2018
‎11-18-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-09-2018
View All

Re: Regex - Filtering out unwanted events doesn't ...

by in Splunk Search
‎08-09-2018 03:07 PM
‎08-09-2018 03:07 PM
Hi, Yes, I deployed the props and transforms from my master node to my indexers and I can see them. According to the bundle distribution, I don't need to Splunk indexers. no typo, we've had successfully filter out unwanted events in the past similar to what I'm trying to do right now let me try that and see if it makes a difference yes, i'm still seeing in the new incoming data and it's weird that it's not working. we've done it before. Thanks. ... View more

Regex - Filtering out unwanted events doesn't work

by in Splunk Search
‎08-09-2018 02:23 PM
‎08-09-2018 02:23 PM
Raw Cisco WSA squid event: 1533849492.277 0 192.168.1.11 TCP_DENIED/307 0 GET http://detectportal.firefox.com/success.txt - NONE/- - OTHER-NONE-AuthenticatedUsers-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> - props.conf [cisco:wsa:squid] TRANSFORMS-null = tcpdenied307-firefox transforms.conf [tcpdenied307-firefox] REGEX = .+(TCP_DENIED).+(307).+(detectportal.firefox.com).+ DEST_KEY = queue FORMAT = nullQueue Any ideas why my REGEX doesn't work? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-18-2020 01:26 PM