Yes i have seen the documentation and i am having probelm getting my stanza's to work. I just want to grab Directory Administrators and Master Web Resource Admins and get rid of the rest of the messages since we will not be doing anything with them.
Here is props.conf:
[source::/n01/data/bsm/hand/access.20121113-082934]
TRANSFORMS-set= setnullldap,setparsingldap
Here is transforms.conf:
[setnullldap]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsingldap]
REGEX = Directory Administrators|Master Web Resource Admins
DEST_KEY = queue
FORMAT = indexQueue
SAMPLE OF RAW DATA THAT I WANT TO KEEP BECAUSE IT INCLUDES cn= Directory Administrators OR cn= Master Web Resource Admins. I want to discard the rest of the events besides the ones that have those two admins as CN's.
SAMPLE DATA BELOW:
[13/Nov/2012:09:00:04 -0500] conn=6333991 op=163 SRCH base="cn=Master Web Resource Admins,obapp=PSC,o=Oblix,o=test.com" scope=0 filter="(obuniquememberStr=uid=appcdt2,ou=people,ou=intranet,dc=test,dc=com)" attrs="1.1"
[13/Nov/2012:09:00:05 -0500] conn=6333969 op=443 SRCH base="cn=Directory Administrators,o=Oblix,o=test" scope=0 filter="(obuniquememberStr=uid=appcdt2,ou=people,ou=intranet,dc=test,dc=com)" attrs="1.1"
If anymore information is needed please just post. Thank you guys so much.
... View more