I am new to both Splunk and REGEX. I am trying to filter out syslog data from a single src address. I have the following in my Transforms.conf [setnull] REGEX = \[src=172.23.8.50\] DEST_KEY = queue FORMAT = nullQueue My data looks like this: Oct 8 13:08:46 10.103.236.21 SSG550: NetScreen device_id=SSG550 [Root]system-notification-00257(traffic): start_time="2010-10-08 13:08:46" duration=0 policy_id=225 service=tcp/port:7777 proto=6 src zone=DMZ-8 dst zone=WAN action=Permit sent=0 rcvd=0 src=172.23.8.50 dst=172.20.15.22 src_port=15120 dst_port=7777 src-xlated ip=172.23.8.50 port=15120 dst-xlated ip=172.20.15.22 port=7777 session_id=250914 Isn't there some way I can select these records based on the field "src"? If not, can someone tell me why my regex above is not working. Thanks again for helping a newbee out. ... View more

I need some help filtering data from a udp (port 514) syslog input. I know the source IP and I assume I will need a regex to exclude the records that I want to exclude, but I am confused as to what needs to be added to the config files. Inputs.conf, props.conf and transforms.conf. Any help you could offer this new user would be apreciated. ... View more

I have installed Splunk for F5 and the ASM Log Source type is not listed as an available source type for my logs. I am running Splunk 4.1.3 Build 80534 for Windows. Can someone tell me how to setup my data input as ASM Logs Source type? Thanks. ... View more