Hi,
let's say we have events with _raw data like this:
<XY>aaa,bbbb,priority,high<XY>aaa,bbb,login,failed<XY>aaa,bbb,user,johndoe<XZ>
The events can include a random amount of this pattern.
Is it possible to create an automatic field extraction to get:
priority = high
login = failed
user = johndoe
So position 3 of the pattern should set the fieldname while position 4 sets the value.
Thankd in advance
Hi @HeinzWaescher
You can use props & transforms to do this:
transforms.conf
[fields-values]
FORMAT = $1::$2
REGEX = >\w+\,\w+\,(\w+)\,(\w+)
props.conf
[yourSourcetype]
REPORT-fields-values = fields-values
Let me know how you get on.
Hi @HeinzWaescher
You can use props & transforms to do this:
transforms.conf
[fields-values]
FORMAT = $1::$2
REGEX = >\w+\,\w+\,(\w+)\,(\w+)
props.conf
[yourSourcetype]
REPORT-fields-values = fields-values
Let me know how you get on.
Awesome! Thanks works fine, thanks a lot
you are welcome! 🙂