Solved: how to write the props.conf stanze to test the tra...

pavanae · ‎08-27-2019

The following is transforms.conf in my search head

[a_b]
SOURCE_KEY = _meta
REGEX = (logtype::A.*(id::(123|456)|(id::789.*username!::[a-zA-Z]{2,3}-+.*?-ZLX))
DEST_KEY = _ghi
FORMAT = KLMN

Now how to write my props.conf in order to test the REGEX in the above transforms.conf works. Especially I would like to see if the id=789 and username not equall to the string that ends with -ZLX?

p_gurav · ‎08-28-2019

To props.conf, add the following lines:

[<sourcetype_name>]
TRANSFORMS-<class> = a_b

View solution in original post

woodcock · ‎09-01-2019

Why are you using SOURCE_KEY = _meta? What do you think that your REGEX will match (and have you tested it with a tool like http://www.RegEx101.com)?

p_gurav · ‎08-28-2019

To props.conf, add the following lines:

[<sourcetype_name>]
TRANSFORMS-<class> = a_b

pavanae · ‎08-28-2019

Thanks @p_gurav. what does line 2 means. What should I specify there?

woodcock · ‎09-01-2019

The <class> is fully arbitrary and the only requirement is that it must be unique across all configuration settings so do not pick a common/simple string.

how to write the props.conf stanze to test the transforms Regex?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update