below is few sample of how my source filename look like-
source="\\abc.com\storage\Queue\Name1\abcdLogs\sample0008095200531.txt"
source="\\abc.com\storage\Queue\Name1\abcdLogs\sample0008096200531.txt"
Here Last 6 field before .txt
represent Date. i.e. In above case 200531
is 31st May 2020.
I want to extract Id which comes before Date and after sample at indextime. and In Id if 0 are at left needs to be excluded(if present) so in above two cases my Id will be 8095
and 8096
Below is my transforms.conf -
[Id]
SOURCE_KEY = MetaData:Source
REGEX = sample0*([0-9A-Za-z]+)\d{6}.*txt
FORMAT = Id::$1
WRITE_META = true
fields.conf -
[Id]
INDEXED=true
INDEXED_VALUE=source::*<VALUE>*
Now when I search for ex. Id="8095" it won't return any results. but when I search Id="*8095" then it does return results. sometime I have to include wild card at start or at end to show results.
Why space is getting included at start or at end of Id? My doing anything wrong?
Thanks,
Your RegeEx looks good, although I'd suggest replacing .*txt
with \.*txt
, i.e. match ".txt" literally.
In fields.conf, you may want to set INDEXED_VALUE=false
, because you are creating a new indexed field named "Id", the value for which is NOT contained in the raw event text.
Let us know how it goes.