I am attempting to index some SSRS logs. Each log file has a header at the beginning of the file. I would like to pull out the header before indexing. I attempted to use PREAMBLE_REGEX but I can not get it to work. The header always has the following format:
A LOT of text
I know there has to be a way to pull it out but either I am going down the wrong track with PREAMBLE_REGEX or I have a flaw in my code. Any advice is welcome.
Try this
[<< sourcetype >>]
TRANSFORMS-skiphdr= skip_header_logfile
[skip_header_logfile]
REGEX = << 20-30 characters of your header line >>
DEST_KEY = queue
FORMAT = nullQueue
Try this
[<< sourcetype >>]
TRANSFORMS-skiphdr= skip_header_logfile
[skip_header_logfile]
REGEX = << 20-30 characters of your header line >>
DEST_KEY = queue
FORMAT = nullQueue
On your forwarder where you are getting this data update your props.conf with this line from @jayannah
[<< sourcetype >>]
TRANSFORMS-skiphdr= skip_header_logfile
Then create a transforms.conf in the same location and add these lines by @jayannah
[skip_header_logfile]
REGEX = << 20-30 characters of your header line >>
DEST_KEY = queue
FORMAT = nullQueue