Hi Guiseppe, This is a single system setup so all setups are on the same machine. I have validated the folder and app locations of the conf files and they're all OK. Thanks, Amrit ... View more

Hi Guiseppe, I've tried your option of REGEX = (sla=\"xyz\") and it still doesn't work. Is there anyway I can debug this - to understand why Splunk is not executing the REGEX check? Because I can't think of any other avenue here at the moment. Also, from an ease of use perspective, is it necessary for me to restart splunk every time I amend conf files with such changes or would running https://splunkserver:port/debug/refresh suffice? Thanks, Amrit ... View more

Hi Guiseppe, That didn't work either. I amended things to something more elementary to try and debug this - I tried to filter out certain events just to check if the REGEX search expressions were working. I edited my conf files to below to see if events with sla="abc" were getting filtered out. props.conf: [snow:task_sla] TRANSFORMS-set = setnull transforms.conf: [setnull] REGEX = sla\=\"abc\" DEST_KEY = queue FORMAT = nullQueue Since the REGEX expressions are correct I should ideally see all events except for sla="abc" but that is not happening. For some reason it looks like Splunk is either not running the REGEX condition or they aren't working. ... View more

Both of the above regex searches aren't filtering anything out. Here's a sample event. endpoint="https://xxx.service-now.com/",business_duration="1970-01-01 00:00:00",start_time="2017-11-21 09:21:32",duration="1970-01-01 00:00:00",sys_updated_on="2017-11-21 09:21:33",has_breached="false",sys_created_on="2017-11-21 09:21:33",sys_id="d6f9a8s7d6f9a78sd6f9a78sd6f9a78s",sys_tags="",end_time="",pause_time="",task="sd9f8g6s9df8g69sd8f7g6sdfgs9df87",planned_end_time="2017-11-28 09:21:32",active="true",pause_duration="",sla="xyz",original_breach_time="2017-11-28 09:21:32",percentage="0",sys_mod_count="0",sys_updated_by="asdf",business_time_left="1970-01-03 02:00:00",stage="in_progress",timezone="Europe/London",schedule="asd9f8asd9f78as6d9f876sd9f786asd",business_percentage="0",time_left="1970-01-08 00:00:00",business_pause_duration="",sys_created_by="asdf" host = splunk source = https://xxx.service-now.com/ sourcetype = snow:task_sla Here's a btool snippet of my transforms.conf: [setnull] CAN_OPTIMIZE = True CLEAN_KEYS = True DEFAULT_VALUE = DEST_KEY = queue FORMAT = nullQueue KEEP_EMPTY_VALS = False LOOKAHEAD = 4096 MV_ADD = False REGEX = . SOURCE_KEY = _raw WRITE_META = False [setparsing] CAN_OPTIMIZE = True CLEAN_KEYS = True DEFAULT_VALUE = DEST_KEY = queue FORMAT = indexQueue KEEP_EMPTY_VALS = False LOOKAHEAD = 4096 MV_ADD = False REGEX = sla\=\"abc\" SOURCE_KEY = _raw WRITE_META = False Btool snippet of props.conf: [snow:task_sla] ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True CHARSET = AUTO DATETIME_CONFIG = \etc\datetime.xml FIELDALIAS-snow:task_sla:tak_sys_id = task AS task_sys_id HEADER_MODE = LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 LOOKUP-sla_supplier_lookup = sla_supplier_lookup sys_id AS sla OUTPUTNEW name AS sla_definition priority sla_supplier MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = True TRANSFORMS = TRANSFORMS-set = setnull,setparsing TRUNCATE = 10000 detect_trailing_nulls = auto maxDist = 100 priority = sourcetype = ... View more

I might have found something.. Events list abc in double quotes so I will need to include that in my regex condition. I tried the expression below but to no avail again. REGEX sla="abc" Thanks, Amrit ... View more

REGEX = sla=abc REGEX = abc Tried both. Still indexes sla=zyx and others. Weird! Thanks, Amrit ... View more

Hi Guiseppe, Thanks for responding. In my case it's the former so I have sla=abc in my logs. I've nevertheless tried both your options and neither work for me. I still see events with sla=zyx getting indexed. Thanks, Amrit ... View more