I use a couple of search-time REPORTs to extract fields in my props and transforms. I then want to employ another transform that sends certain events to nullqueue, based on values from the extracted fields.
(?m)^field = (value1|value2|value3)
OR
(?ms)field = (value1|value2|value3)
OR something else?
Null queuing happens at parse time via TRANSFORMS. REPORTs occur too late for null queueing.
Your TRANSFORMS rule will have to use a regex to find the values you've specified (e.g. value1, value2, value3), but without the benefit of "field=" (unless that also appears in the data).
Null queuing happens at parse time via TRANSFORMS. REPORTs occur too late for null queueing.
Your TRANSFORMS rule will have to use a regex to find the values you've specified (e.g. value1, value2, value3), but without the benefit of "field=" (unless that also appears in the data).