We have in the ldap (Oracle) directory audit file, the following layout -
time: 20180724072339
dn: uid=<uid>,ou=people,dc=<dc>,dc=com
changetype: modify
replace: passwordRetryCount
passwordRetryCount: 2
-
add: pwdFailureTime
pwdFailureTime: 20180724122331.986Z
-
<blank line>
How can we extract the event from the time:
part until the blank line?
Let's give this a try first (props.conf on your indexer/heavy forwarder)
[YourSourcetype]
LINE_BREAKER =([\r\n]+))(?=time\:\s*\d+)
SHOULD_LINEMERGE = false
TIME_PREFIX = ^time\:\s*
TIME_FORMAT = %Y%m%d%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14
Let's give this a try first (props.conf on your indexer/heavy forwarder)
[YourSourcetype]
LINE_BREAKER =([\r\n]+))(?=time\:\s*\d+)
SHOULD_LINEMERGE = false
TIME_PREFIX = ^time\:\s*
TIME_FORMAT = %Y%m%d%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14
Gorgeous @somesoni2 as usual. Please convert to an answer ; -)
So you want to consider event boundary from time:...
till next blank line (or next time:...
)?
I guess until next blank line would be great...
@somesoni2 - any thoughts about this one?