Hi,
I'd rather need to know how to put in .conf files both the following (search-time) extractions.
sql_where_clause is an existing field.
Should I put one by one in props.conf, or it is better to use transforms.conf?
Thanks,
Skender
| rex field=sql_where_clause "ccti_class = (?P<class>.*?) AND ccti_category = '(?P<category>.*?)' "
I resolved it using only props.conf:
[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'
I resolved it using only props.conf:
[my_sourcetype]
...
...
EXTRACT-my_extractions = ccti_class = \'(?<class>[\w\s]+)\'.*ccti_category = \'(?<category>[\w\s]+)\'
Hi,
Thanks for your comment!
I am trying, but could you suggest me the optimized regex to extract the two fields (class and category) to insert in the transforms.conf?
Here is the sample event:
ccti_class = 'Service Forniture' AND ccti_category = 'Computer science' AND ( ticket_type = 'Change Request' and ticket_impact_code = '2' ) AND ( ticket_type = 'Change Request' and ticket_urgency_code = '1' )
Could it be correct this way?
transforms.conf
[class_category]
REGEX = <regex expression to extract two fields>
SOURCE_KEY = field:sys_where_clause
props.conf
[my_sourcetype]
REPORT-class_category = class_category
That will be correct if you want to use transforms.conf. For just props.conf, see this