I have configured props.conf
and transforms.conf
on a Heavy Forwarder in order to split an existing sourcetype into sub categories. I have utilized what appears to be the general convention for naming layers in sourcetypes ie: a:b:c:d.
Now, the sourcetype I am splitting is a:b which are generating a:b:c and a:b:c:d. Everything is working fine and I am getting the data into the indexes and the formatting is perfect. What is bothering me is that in order to search for the a:b:c and a:b:c:d source I have to use a trailing wilcard. As a:b:c and a:b:c:d each contain quite a bit of data I would like to look at either or.
Its in no way a show-stopper but I would just like to check if I have missed something with regards to the config or if this is just the way it is.
props.conf
[a:b]
TRANSFORMS-changeSourceType = set:a:b:c, set:a:b:c:d
BREAK_ONLY_BEFORE = (%)|(VOIP_CALL_STATISTICS)
transforms.conf
[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = a:b:c
[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = a:b:c:d
Edit:
After some further investigations it gets even stranger where I have to include a search word in order for data to displayed in addition to the trailing wildcard:
index=something sourcetype=a:b:c:d*
gives no results. index=something sourcetype=a:b:c:d* foo
gives results containing foo
.
I forgot to mention I am running version 6.5.0.
Hi,
You need to prepend sourcetype::
in the FORMAT
value.
[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c
[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d
Hi,
You need to prepend sourcetype::
in the FORMAT
value.
[set:a:b:c]
DEST_KEY = MetaData:Sourcetype
REGEX = (%VOIP)
FORMAT = sourcetype::a:b:c
[set:a:b:c:d]
DEST_KEY = MetaData:Sourcetype
REGEX = (VOIP_CALL_STATISTICS)|(DSP)
FORMAT = sourcetype::a:b:c:d
Just to get it right - you don't get data when searching for sourcetype=a:b:c
, but it works with sourcetype=a:b:c*
?
Yes, that is correct. Edit to make a bit more clear. 🙂