I have two firewall devices that log their activities in different formats. I'm trying to create CIM compliant logs. I want to have a field labeled "action" and I want it to set that field to either be be a value of "drop", "reject", "accept" based on some regex. The values drop, reject, or accept is not found in the event itself. This is what I have so far and it is not creating a field name action with the desired value.

props.conf
[host::192.168.1.1]
TRANSFORMS-junos = junos_action_deny,junos_action_allow

transforms.conf
[junos_action_deny]
REGEX = RT_FLOW_SESSION_DENY
FORMAT = action::drop

[junos_action_allow]
REGEX = RT_FLOW_SESSION_CREATE
FORMAT = action::allow

Example event

Jul 26 18:17:57 192.168.1.1 1 2017-07-26T18:17:57.909-07:00 fw3 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.40 source-address="184.105.139.110" source-port="44147" destination-address="192.168.1.10" destination-port="69" service-name="junos-tftp" protocol-id="17" icmp-type="0" policy-name="default-deny" source-zone-name="dmz" destination-zone-name="clients" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.1311" encrypted="UNKNOWN" reason="policy deny"] session denied 184.105.139.110/44147->192.168.1.10/69 junos-tftp 17(0) default-deny dmz clients UNKNOWN UNKNOWN N/A(N/A) reth0.1311 UNKNOWN policy deny