There are actually 2 parts in my question
example.log
date,number,/我愛你/你愛他,last,xx12345
date,number,/我愛你/你愛他/他愛他,last,xx12345
date,number,/我愛你/你愛他/他愛他/他愛我,last,xx12345
props.conf
[example.log]
REPORT-sourcefields = source-fields
REPORT-sourcefield3 = source-field3
transforms.conf
[source-fields]
DELIMS = ","
FIELDS = field1,field2,field3,field4,field5
[source-field3]
SOURCE_KEY = field3
DELIMS = "/"
FIELDS = Category1,Category2,Category3,Category4,Category5,Category6
anyone has answers to this problem? maybe my regex isn't correct, but i am really exhausted these days...unable to think straight at the moment
I don't think Splunk would recognize it as a word, but maybe as a non-whitespace character?
^/{1}.\/(?
Thanks,
Kate