The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkGeneral: REGEX Help

Previous Topic: Splunk Web | Next Topic: Install Splunk on custom directory

Posts 1–2 of 2

posted by: simonmag | posts
date: October 14, 2009
permalink

Hi,

I am trying to filter using a REGEX on events from a Windows security log so that only events 529 and 560 come through - but also if the domain name does NOT equal 'Domain' (So I am only logging failed logins to the local machine not loggin into the domain)

I have tried:

[log-filter]
REGEX=EventCode=(560|529)
REGEX=Domain!={Domain)
DEST_KEY = queue
FORMAT = indexQueue

Would I need to add the REGEX for the domain to the end of the event ID REGEX or keep it on a seperate line?

Thanks.

posted by: araitz | posts
date: October 14, 2009
permalink

You can't use two REGEX keys such as this, so you would need to write one regex that looks for both.

Forums: SplunkGeneral: REGEX Help

Description:

Permalink:

Splunk.com

Product:

Solutions:

Industries:

Partners:

About_us:

Support:

Services:

Resources:

Download