Hello, Need some help on regex here, am sure i maybe making mistake here but..
trying to break these into seperate events by using LINE_BREAKER under props.conf
sample output of my event :
"datetime=26Aug2001","20:26:02","action=drop","fw_name=NFLcp.NFL.gov","dir=inbound","src=139.67.8.235","dst=139.203.160.214","bytes=48","rule=29","proto=tcp/http"
"datetime=26Aug2001","20:26:03","action=drop","fw_name=NFLcp.NFL.gov","dir=inbound","src=61.138.33.102","dst=139.203.13.45","bytes=48","rule=29","proto=tcp/http"
my props.conf LINE_BREAKER looks like this :
LINE_BREAKER = (tcp/http")
what's happening here is since this is capturing group, it doesnt get displayed in the actual event, looks like this : (without the tcp/http)
"datetime=26Aug2001","20:26:03","action=drop","fw_name=NFLcp.NFL.gov","dir=inbound","src=61.138.33.102","dst=139.203.13.45","bytes=48","rule=29","proto=
i tried using look-ahead like these but its still not working :
LINE_BREAKER = =(?=(tcp/http"))
LINE_BREAKER = =((?=tcp/http"))
any help on this ?
thanks pmr
You probably want something more like:
LINE_BREAKER = ([\r\n]+)(?=\"datetime\=)