Hi all!
A have a log file that use ASCII Dec 031 (US - Unit Separator) as delimiter.
How can I configure my transforms and props to work with this delimiter?
Thanks a lot.
Use RegEx encoding for this character: \x1F
.
I set my props as follow:
[mailheader]
NO_BINARY_CHECK = 1
pulldown_type = 1
CHECK_FOR_HEADER = false
REPORT-AutoHeader = MailHeader
and my transforms as follow:
[MailHeader]
DELIMS="\1f"
FIELDS="FILENAME","TIMESTAMP","IP","FROM","RETURN_PATH","TO","CC","SUBJECT","AUTH"
Is not running... 😞
The fields aro not correctly separated.
I am not sure if DELIMS
method will work but try this transforms.conf
and see:
[MailHeader]
DELIMS="\x1F"
FIELDS=FILENAME, TIMESTAMP, IP, FROM, RETURN_PATH, TO, CC, SUBJECT, AUTH
If you can't make it work then keep your props.conf
the same and try this for transforms.conf
:
[MailHeader]
REGEX=^([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)\x1F([^\x1F]*)
FORMAT=FILENAME::$1 TIMESTAMP::$2 IP::$3 FROM::$4 RETURN_PATH::$5 TO::$6 CC::$7 SUBJECT::$8 AUTH::$9
Great!
DELIMS do not work, but REGEX works very fine.
Thanks a lot