Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write the regex in transforms.conf to filter and only index logs with "login time"?

skenkz
New Member
‎03-25-2015 09:52 AM

Hello,
i need to implement a regex to filter contents of logs of vmware infrastructure.

The only logs I want to receive and index in Splunk will have to be:

Mar 25 10:36:45 172.20.1.9 2015-03-25T09:36:31.014Z IBM-ESXi-5.aditinet.local Hostd: [FFB37920 info 'Vimsvc.ha-eventmgr' opID=B6CBCB83-00000031 user=DOMAIN\test.test] Event 2459 : User DOMAIN\test.test@172.31.255.45 logged out (login time: Wednesday, 25 March, 2015 09:35:59, number of API invocations: 0, user agent: VMware VI Client/4.0.0)

I want to filter only word: "login time".

These are my props.conf and transform.conf located in path /opt/splunk/etc/system/local:

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setparsing

File transforms.conf

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue

I tested it, but doesn't work.

Please, could someone help me to build the correct regex?

Thanks in advance.

0 Karma
Reply

somesoni2
Revered Legend
‎03-25-2015 10:26 AM

Try this (both the configuration files on Indexer/Heavyforwarder)

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setnull,setparsing

File transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!