I want to change the sourcetype for all incoming logs with sourcetypes not starting with abc. I have following setting but it would change it for all the sourcetypes
#Transforms.conf on indexer
[noncerner:setnull]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?::){0}^(?!ABC).*
#REGEX = ^(?!ABC).* tried it
#REGEX = sourcetype::^(?!ABC).* tried it
#REGEX = sourcetype::(?::)^(?!ABC).* tried it
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ABC:temp:logs
Any hep is appreciated.
This is the syntax for what you want to do. Let me know
[noncerner:setnull]
FORMAT = sourcetype::ABC:temp:logs
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Sourcetype
REGEX = sourcetype::(((?!abc)).*)
This is the syntax for what you want to do. Let me know
[noncerner:setnull]
FORMAT = sourcetype::ABC:temp:logs
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Sourcetype
REGEX = sourcetype::(((?!abc)).*)
Very big thumps up, it worked, thanks. I am testing few more scenarios and will comment later today.
^((?!abc).)*
This regex shall negate the string exists.
there is no problem with the regex. it works when I put it in regex101. I think the problem is that we cannot use regex with sourcetype.