×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
cr32003
New Member
Member since: ‎11-04-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-04-2011
Activity Feed
Topics I've Started
View All

Re: Regex for field ending with $

by in Splunk Dev
‎12-19-2011 07:35 AM
‎12-19-2011 07:35 AM
I have now tried pretty much all of the conbinations, including the one(s) above BUT if i put in the EventCode REGEX all is Hunky Dory and ANY changes made to the EventCode numbers are reflected in the indexing. However if I then remove the EventCode REGEX and insert the User REGEX (either your version above or my original version) into the SAME TRANSFORMS Stanza then Splunk in its wisdom still indexes all of the events with the User field ending in '$'. The MOST annoying thing is that if I do the following search:- source="WMI:WinEventLog:Security" | regex User="\$$" Then the results are all events with the User field ending in '$'. Is there any 'debugging' tools to see what Splunk is actually doing when it receives the event and makes the decision as to whether to either index it or not? ... View more

Re: Regex for field ending with $

by in Splunk Dev
‎12-15-2011 07:13 AM
‎12-15-2011 07:13 AM
Sorry the copy/paste bit obviuosly did not work correctly the regex should read 'REGEX=(?m)^User=\$$' which i thought should be any "user value ending in '$'". I have tried changing this to what you suggested and it still has no affect. ... View more

Regex for field ending with $

by in Splunk Dev
‎12-15-2011 06:29 AM
‎12-15-2011 06:29 AM
I am trying to filter out WMI events that have the 'User' field whicxh ends with a $ i.e a special character as far as regex is concerned.I am running Splunk version 4.2.2 on a windows 2003 server (virtualised). my 'local' 'props.conf' is set to:- [WMI:WinEventLog:Security] TRANSFORMS-wmi=wmiExcludeUsers [WMI:WinEventLog:Security] TRANSFORMS-wmi=wmiExcludeEventCodes and my 'local' 'transforms.conf' is set to:- [wmiExcludeEventCodes] REGEX=(?m)^EventCode=(512|513|514|515) DEST_KEY=queue FORMAT=nullQueue [wmiExcludeUsers] REGEX=(?m)^User=\$$ DEST_KEY=queue FORMAT=nullQueue I am fairly sure that the EventCodes bit is working but the Users bit is not. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM