Hi,
I have a regex to allow certain data into Splunk via a transforms, and now I need to update it. I made some changes, but the data still isn't coming in, so I'm assuming that my regex is wrong.
Here's my transforms:
[save_fil_wc_ips_ive_tr0_asr]
REGEX = (?i)^[^|]+\|[^|]+\|[^|]+\|[^|]+\|[^|]+\|[^|]+\|(fil|fidc|wc|tr0|asr|[0-9][0-9[0-9]rtr-1.fmr.com|rtr-2.fmr.com)
DEST_KEY = queue
FORMAT = indexQueue
Here's some sample data:
1478196000000|3176866|NormalizedPortInfo|UnknownProtocolPkts|0|Interface|150rtr-1.fmr.com|Gi0/0/0
1478196000000|3176866|NormalizedPortInfo|Bits|1333972272|Interface|150rtr-1.fmr.com|Gi0/0/0
1478196000000|3176866|NormalizedPortInfo|UnicastOut|280872|Interface|150rtr-1.fmr.com|Gi0/0/0
1478196000000|3176866|NormalizedPortInfo|ErrorsIn|0|Interface|150rtr-1.fmr.com|Gi0/0/0
1478196000000|3176866|NormalizedPortInfo|AdminStatusPollable|1|Interface|150rtr-1.fmr.com|Gi0/0/0
1478196000000|3176866|NormalizedPortInfo|FrameSize|292.6625456115502|Interface|150rtr-1.fmr.com|Gi0/0/0
1478196000000|3176866|NormalizedPortInfo|SpeedIn|30000000|Interface|150rtr-1.fmr.com|Gi0/0/0
1478196000000|3176866|NormalizedPortInfo|BitsOut|327007456|Interface|150rtr-1.fmr.com|Gi0/0/0
↧