×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
aspa
Engager
Member since: ‎05-02-2012
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎05-02-2012
Activity Feed
Topics I've Started
View All

Re: REGEX transforms.conf, NOT operator

by in Splunk Search
‎05-08-2012 05:35 AM
‎05-08-2012 05:35 AM
Hello Kristian Thank you for your reply. I figured out where my failure was in the configuration. Your post helped me a lot! I just post shortly my solution: The props.conf remains almost the same as above: [source::/var/log/messages] TRANSFORMS-set=ignore The transforms.conf changed the most and is now shorter: [ignore] REGEX = miss DEST_KEY = queue FORMAT = nullQueue By sending the event matching the REGEX to the nullQueue, the event is not forwarded to the indexer. ... View more

REGEX transforms.conf, NOT operator

by in Splunk Search
‎05-07-2012 07:25 AM
‎05-07-2012 07:25 AM
Hi Splunkers I'm new to splunk and currently playing around with the heavy forwarder. I found here several examples how to match a specific string in an event and only forward that event to the indexer. However, I could not find the opposite. Here is what I would like to do. Let's say in /var/log/messages we have those two log entries: May 7 08:00:14 <host> <user>: Splunk, get that line! May 7 08:01:45 <host> <user>: Splunk, miss that line! My props.conf contains: [source::/var/log/messages] TRANSFORMS-set=setnull,ignore My transforms.conf contains: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [ignore] REGEX = !miss DEST_KEY = queue FORMAT = indexQueue I have tryed several regex for the NOT miss part. So far I have not found any solution. Again, my goal is not to match the first line. I know how that is done. I want to match everything except something with a key word. At the end I should be able to exclude known events and always receive on my indexer what is wanted or sofar unknown. Thank you for your help ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All