×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
smichalowski
New Member
Member since: ‎05-27-2015
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-27-2015
Activity Feed
View All

Re: How to edit my regex in transforms.conf to fil...

by in Splunk Search
‎05-28-2015 05:38 AM
‎05-28-2015 05:38 AM
I dont use - I added it n this discuss to underline that in real file backslash exist. Below copy/paste of the real transforms.conf file: [wminull] REGEX=(EventCode=4624).+(Account\s+Name:.+John) DEST_KEY=queue FORMAT=nullQueue ... View more

Re: How to edit my regex in transforms.conf to fil...

by in Splunk Search
‎05-28-2015 05:06 AM
‎05-28-2015 05:06 AM
Thank you for the response and help. In fact my regex didint work in regex101.com. Your is ok. It works in regex101.com. So, i your added your regex it to transforms.conf. transforms.conf is as follow now: [wminull] REGEX=(EventCode=4624).+(Account\s+Name:.+John) #between 'Account' and 's' there is backslash but is not displayed DEST_KEY=queue FORMAT=nullQueue props.conf is: [WMI:WinEventLog:Security] TRANSFORMS-wmi=wminull I have restarted Splunk and no results. Event are still indexed :-(. What is wrong??? my observation is: when regex works in search line, it doesn't work in transforms.conf. ... View more

How to edit my regex in transforms.conf to filter ...

by in Splunk Search
‎05-27-2015 02:32 PM
‎05-27-2015 02:32 PM
Hello everybody, I am new to Splunk. What is my problem: Universal forwarder sends Windows Event Logs to Indexer (Splunk 6.x). On the indexer I want to filter out before indexing all events with EventCode=4624, which are generated for a user with account name "John". I have created props.conf and transforms.conf on the indexer. I have a problem with regex (I am sure that the problem is with regex because if I put REGEX=. in transforms.conf all events are filtered out). In transforms.conf I have: REGEX=(?m)^(EventCode=4624)(Account\s*name.\s*John) It does not work. Events with this code and for this user are still indexed. Could you help me in defining proper regex? thank you in advance Slawomir ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM