Hello,
i have an application that has an bug in the logging, but i need to workaround it.
log structure:
Dec 10 13:21:09 abc: request:
Session: ******
User-Agent: ********
Content-Length: ****
Content-Type: *********
positionDec 10 13:22:09 abc: reply:
Session: ********
Date: 2014-12-09T14:33:09Z
Range: *****
Scale: ****
Content-Type: ****
Content-Length: ***
position: ******
this are two events. in the request event it writes at the and in the beginning of the replay message "position:"
i tried already with seed to remove the "position:" - but it is valid in the replay event and it would remove this one as well.
i guess i need to do it via transforms.conf as it needs to be done before we check for the timestamp, otherwise the full line will be used to the event to detect the timestamp.
i tried to add via transforms a line break, but did not work.
[position-fix]
REGEX = (?m)^(.*)position.*
FORMAT = $1\n position1$2
DEST_KEY = _raw
thanks a lot for any advice.
... View more