When I use wildcards in the startswith
or endswith
for transaction
, I get unexpected behavior. In short, if I specify something like startswith=”aaa * bbb ccc”
, then it seems to match strings of the form “aaa*ccc”
.
Sometimes I can get around with this by specifying startswith=(=”aaa yyyy bbb ccc” OR =”aaa zzzz bbb ccc”)
when this is possible and it behaves as I expect.
It seems like I should be able to use regex in these clauses, but so far I have not been able to make it work. Something like startswith=(regex _raw=”aaa\\s[\\w]+\\sbbb\\sccc”)
You can use regex's in an eval statement, which is valid for startswith. Here's an example:
... | transaction field startswith=eval(match(_raw, "\d\d\s+start")) endswith=end
This matches the following events into one transaction:
2013-01-30T12:32:34+00:00 start field=10000
2013-01-30T12:39:27+00:00 end field=10000
As a counter-example, adding another \d in the regex breaks the transaction apart because startswith doesn't match.
You can use regex's in an eval statement, which is valid for startswith. Here's an example:
... | transaction field startswith=eval(match(_raw, "\d\d\s+start")) endswith=end
This matches the following events into one transaction:
2013-01-30T12:32:34+00:00 start field=10000
2013-01-30T12:39:27+00:00 end field=10000
As a counter-example, adding another \d in the regex breaks the transaction apart because startswith doesn't match.