Hi,
How to extract the fields in the below Raw event using props.conf and transforms.conf
05/24/17 13:22:12 abcxyz dbmslogin_c[100]: [ddslogin.c.c][370]: [SECURITY] Successful login attempt from user kirna331 at Book12:Opennet
action=Successful user=kirna331 src=Book12 app=Opennet
props.conf [yourSourceType] TRANSFORM-somename = somename
transforms.conf [somename] REGEX = ([^\w]+) login attempt from user ([^\w]+) at ([^:]+):(.*) FORMAT = action=$1 user=$2 src=$3 app=$4
Try this
props.conf:
[mysourcetype] TRANSFORM-foo = foo
transforms.conf:
[foo] REGEX = ([^\s]+) login attempt from user ([^\s]+) at ([^:]+):(.*) FORMAT = action=$1 user=$2 src=$3 app=$4
