The following are my transforms.conf and props.conf in my cluster master which are sending all the logs for the below search
logtype=SAT (id="ABC-1" OR id="ABC-2")
transforms.conf
[send_to_heavyforwarder]
SOURCE_KEY = _meta
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))
DEST_KEY = _TCP_ROUTING
FORMAT = heavyforwarder_output
props.conf
[default]
TRANSFORMS-heavyforwarder= send_to_heavyforwarder
Now, I want to filter the events when the below search condition met
logtype=SAT id="ABC-2" username="anything that ends with -TEST"
In order to filter the events that match the above condition how to modify my REGEX in transforms.conf. I think I need to use to something like negative look-back but not sure what could be my new syntax that filters the events when username ends with "-TEST"
Any help would be great.
try this ?
(logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-TEST)
OR
logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-TEST
try this ?
(logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-TEST)
OR
logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-TEST
Hi @mayurr98 I actually want to exclude any logs which contain "-TEST" at the end of username. The above answer will work if I wanted to include those logs.
I am trying to find the right syntax for excluding those something like nagative look-back's.
try this:
https://regex101.com/r/QhCN5V/1
logtype::SAT.*id::(ABC-1|ABC-2).*username::[^\-]+\-(?!TEST)
OR
logtype::SAT.*id::(ABC-1|ABC-2).*username::.*-(?!TEST)
Thanks @mayurr98 . It almost worked great but what could be the regex if my username values are as follows
abc-def-ghi
jkl-mno-TEST
agh_123
ghk-TEST
Among the above 4 examples. Now, I just want to filter the username value's that ends with -TEST