topic Re: event tagging ..Multiple format lines in same log file in Getting Data In

event tagging ..Multiple format lines in same log file

desi-indian — Mon, 28 Sep 2020 10:20:21 GMT

Hi ,
I am trying to do a field extraction for a log ...the issue I am facing is the field lay out remains constant works fine for 90 % time but for remaining 10 % the log format changes

Example :

when I have a message line with "Authenticated" In there the user_ID is 9 th field

BUT when I have "LOGOFF" in the line the User_ID is coming in as 7 th field .

How do I define my props/transforms so I am capturing ALL User_IDs irrespective If it comes in 7 th field or 9 th field ?

Thanks for the help !

Re: event tagging ..Multiple format lines in same log file

ftk — Thu, 19 Jan 2012 19:10:56 GMT

Can you post your current extractions from props.conf and transforms.conf?

Re: event tagging ..Multiple format lines in same log file

lguinn2 — Mon, 23 Jan 2012 05:28:19 GMT

And a few lines from a log file, showing the alternate formats, would be helpful, too. You should anonymize any identifying data. Thanks!

Re: event tagging ..Multiple format lines in same log file

aalanisr26 — Thu, 16 Apr 2015 20:37:22 GMT

if for example you have:

First Kind of event,Some More field,Authentication,7,More,More
Second Kind of event,Data,Data,Data,Data,Data,Data,LogOFF,7,More,More

if you want to get the 7

(Authentication\,\d+|LogOFF\,\d)