Hello,
What is the correct REGEX to match the following field and value in all events from any sourcetype:
dest_port=443
I will be adding this to a nullQueue in transforms.conf. I have tried REGEX=dest_port=443 but this does not work (I am very new with REGEX).
Thanks
Does the text in the actual raw event contain the string?
dest_port=443
Because if it does not, you are probably referring to a field name that is extracted at search time. nullQueue
ing takes place during the parsing/indexing phase, and no fields are available then (apart from stuff like host
, source
etc). Also, make sure that you're editing the correct config files. nullQueue
ing takes place during the parsing phase, and depending on your setup, that might be on the indexer or on a Heavy Forwarder;
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Discard_specific_even...
[default]
TRANSFORMS-nullqueue_443= remove443
transforms.conf:
[remove443]
REGEX = dest_port=443
DEST_KEY = queue
FORMAT = nullQueue
But as you may have noticed, it does not seem to work. Please provide a few sample events. Also, I'm not 100% sure that you can put the TRANSFORM in props.conf under the [default]
stanza. It's a rather unusual request, and I have never tried it.
If that does not work, (under default
) then you might have to put the TRANSFORMS line in each source/sourcetype stanza that may contain data that you want to filter out.
EDIT: Typo in the stanza header in transforms.conf... fixed it.
/K
Does the text in the actual raw event contain the string?
dest_port=443
Because if it does not, you are probably referring to a field name that is extracted at search time. nullQueue
ing takes place during the parsing/indexing phase, and no fields are available then (apart from stuff like host
, source
etc). Also, make sure that you're editing the correct config files. nullQueue
ing takes place during the parsing phase, and depending on your setup, that might be on the indexer or on a Heavy Forwarder;
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Discard_specific_even...
[default]
TRANSFORMS-nullqueue_443= remove443
transforms.conf:
[remove443]
REGEX = dest_port=443
DEST_KEY = queue
FORMAT = nullQueue
But as you may have noticed, it does not seem to work. Please provide a few sample events. Also, I'm not 100% sure that you can put the TRANSFORM in props.conf under the [default]
stanza. It's a rather unusual request, and I have never tried it.
If that does not work, (under default
) then you might have to put the TRANSFORMS line in each source/sourcetype stanza that may contain data that you want to filter out.
EDIT: Typo in the stanza header in transforms.conf... fixed it.
/K
Just be aware that this setup may cause you to lose events if 443 turns up anyplace in an event. (in a timestamp, as response time, error codes, byte counts etc).
/k
Perfect, that worked! I found that this also works:
\b/443\b
but i like \D better...
Thanks!
Try \D for not a digit at the end
REGEX=/443\D
Hi, thanks. You were right- the raw event does not contain the "dest_port=443" string. So I tried with REGEX=/443 and it worked.
But now, how do I tell regex to stop after 443 and not match 4435, 4436, etc. as well so it only matches "443".
Thanks!