Hi,
I have a couple of comma separated cisco log files which is suppose to have different set of headers or fields. The said log files have common fields like so:
header#1: Timestamp,RDR_ID,SUBSCRIBER_ID,CLIENT_IP
header#2: Timestamp,RDR_ID,SUBSCRIBER_ID,SKIPPED_SESSIONS,CLIENT_IP
sample data#1:
1361171830137,4042321984,001ffb25b1d1@smartbro.net,192.168.1.1
1361171830473,4042321984,001ffb0f90bb@smartbro.net,192.168.1.2
1361171831107,4042321984,001ffb0f90bb@smartbro.net,192.168.1.3
sample data#2
1361171830137,4042323000,001ffb25b1d1@smartbro.net,0,192.168.1.1
1361171830473,4042323000,001ffb0f90bb@smartbro.net,1,192.168.1.2
1361171831107,4042323000,001ffb0f90bb@smartbro.net,0.192.168.1.3
my props.conf
[smart_sce_sourcetype]
REPORTS-multi = Transaction_Usage_RDR, Block_RDR
my transforms.conf
[Transaction_Usage_RDR]
REGEX="\W4042323000,"
DELIMS=","
FIELDS="TIMESTAMP","RDR_ID","SUBSCRIBER_ID","CLIENT_IP"
[Block_RDR]
REGEX="\W4042321984,"
DELIMS=","
FIELDS="TIMESTAMP","RDR_ID","SUBSCRIBER_ID","SKIPPED_SESSIONS","CLIENT_IP"
The RDR_ID(2nd column of the actual data) determines w/c header to use. You'll notice this on my regex. The 2 sample data are indexed and both headers are generated but client_ip data is going on the skipped_sessions. Also some of the columns are missing. I removed the other headers for briefness of presenting the problem. Generally speaking the indexed data is messed up. Kindly advice.
... View more