Hello
I have few files for which I want to index just the first line and ignore everything else as its purely being used for information. All of them have the same pattern so I guess I cannot use the regex to match and send them to nullqueue. Any setting in props.conf which does that?
I would do it this way
props.conf
[mysinglefilesourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))
TRUNCATE = 10000
which is a variation on this answer
What this does: (1) indexes the whole file as a single event but (2) cuts off everything after the first 10000 characters. You should set TRUNCATE
to the maximum length of the first line. If you want to go even further, you could do this:
props.conf
[mysinglefilesourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))
TRUNCATE = 10000
TRANSFORM-flo = firstlineonly
transforms.conf
[firstlineonly]
REGEX=(?m)^(.*?)$
DEST_KEY=_raw
FORMAT=$1
Nope, this will only work on a static file.
Is there any way to uniquely identify the first event of the day?
and is that props.conf should be written on the forwarder side?
I guess this will work well on a static file. I have a syslog server which is collecting all info in a single log file per device. So will the props.conf see that it has to allow one event each day from the same log file?
I was not sure whether it should be
REGEX=(?m)^(.*?)$
or
REGEX=^(.*?)$
Bu looking at a regex reference makes me think that it should have the (?m)