Sample Event:
2015-07-01 09:17:22,962|CACHE-NAME:upf-cccc-ttt-yyy2-zzz-cache|BACK-CACHE-ENTRIES:0|BACK-CACHE-SIZE-IN-BYTES:0|BACK-CACHE-SIZE-IN-MB:0|BACK-CACHE-AVG-SIZE:0|BACK-CACHE-NO-OF-GETS:0|BACK-CACHE-NO-OF-HITS:0
Tried below options...
Transforms.conf:
[sampleextract]
([A-Z|\-]+):([a-z|\-|\d]+)
OR
\|(?<_KEY_1>[A-Z|\-]+):(?<_VAL_1>[^|]+)
OR
\|(?<_KEY_1>[^:]+):(?<_VAL_1>[^|]+)
OR
\|([A-Z|\-]+):([a-z|\-|\d]+)
_raw
$1::$2
Props.conf:
Name Type Extraction/Transform
sampleextract : REPORT-samplesource Uses transform sampleext
Try this:
Transforms.conf:
[sampleextract]
REGEX = ([^|:\s]{3,}):([^|:\s]+)
FORMAT = $1::$2
MV_ADD = 1
Props.conf:
[mySourceType]
REPORT-sampleextract sampleextract