Splunk Search

How to write the regex in transforms.conf to filter and only index logs with "login time"?

skenkz
New Member

Hello,
i need to implement a regex to filter contents of logs of vmware infrastructure.

The only logs I want to receive and index in Splunk will have to be:

Mar 25 10:36:45 172.20.1.9 2015-03-25T09:36:31.014Z IBM-ESXi-5.aditinet.local Hostd: [FFB37920 info 'Vimsvc.ha-eventmgr' opID=B6CBCB83-00000031 user=DOMAIN\test.test] Event 2459 : User DOMAIN\test.test@172.31.255.45 logged out (login time: Wednesday, 25 March, 2015 09:35:59, number of API invocations: 0, user agent: VMware VI Client/4.0.0)

I want to filter only word: "login time".

These are my props.conf and transform.conf located in path /opt/splunk/etc/system/local:

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setparsing

File transforms.conf

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue

I tested it, but doesn't work.

Please, could someone help me to build the correct regex?

Thanks in advance.

0 Karma

somesoni2
Revered Legend

Try this (both the configuration files on Indexer/Heavyforwarder)

File props.conf

[host::172.20.1.9]
TRANSFORMS-set= setnull,setparsing

File transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = login time:
DEST_KEY = queue
FORMAT = indexQueue
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...