Hi
I have one question, is it possible to count the number of event in regex format for writing in transforms.conf?
it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=\"deny\"
DEST_KEY = queue
FORMAT = indexQueue
it seems in your event for acion = double quotes are present..can you try below:
in transforms.conf-
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=\"deny\"
DEST_KEY = queue
FORMAT = indexQueue
thank you, it workes now.
@khanlarloo I have converted @493669 's comment to Answer. Please accept the same to mark this question as answered!
Please provide more details about what you are trying to do. What exactly are you trying to achieve via transforms.conf?
i want my HF send specific field to my receiver and count the number of different strings,i configure props.conf and transforms.conf but it doesn't work,
i hav field named action=deny i want to send just this field to my receiver,and it count this field.
[setnull]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue
can you try these setings:
in props.conf-
[sourcetypename]
TRANSFORMS-set= setnull,setparsing
Here make sure setnull
stanza must appear first in the list.
in transforms.conf-
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = action=deny
DEST_KEY = queue
FORMAT = indexQueue
i try this but it doesn't work,when i do this i don't receive any logs
here is my event
Aug 26 13:57:02 192.168.X.3 date=2018-08-26 time=13:51:33 devname="FGT-Lab" devid="FGT" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1535275293 srcip=192.168.X.100 srcport=18730 srcintf="wan1" srcintfrole="wan" dstip=192.168.X.3 dstport=8443 dstintf="root" dstintfrole="undefined" sessionid=5399 proto=6 action="close" policyid=1 policytype="local-in-policy" service="tcp/8443" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management(HTTPS)" duration=3 sentbyte=5166 rcvdbyte=204729 sentpkt=81 rcvdpkt=150 appcat="unscanned"