Hello,
I have events in the following format:
20/08/19 16:34:17 login1 command RunAsUsers="web,tomcat,embed"
with the following configs
props.conf:
[mysourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %d/%m/%y %H:%M:%S
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
KV_MODE = auto_escaped
REPORT-mysourcetype = login,user
transforms.conf:
[login]
REGEX = ^[\d\s/:]+(?P<user>\w*)\s+(?P<type>\w*)
[user]
SOURCE_KEY = RunAsUsers
REGEX = (?P<user>[^,]+)
MV_ADD = true
Fields "user", "type" and "RunAsUsers" are well extracted but the multi KV "user" is not created.
An idea of what I'm doing wrong?
Thanks
Christian
Hello,
For information, Splunk support give me the following solution using the config file "fields.conf":
[RunAsUsers]
TOKENIZER = ([^,]+)
Regards
Christian
Hello,
For information, Splunk support give me the following solution using the config file "fields.conf":
[RunAsUsers]
TOKENIZER = ([^,]+)
Regards
Christian
Sorry, regex on [login] is
^[\d\s/:]+(?P<login>\w*)\s+(?P<type>\w*)
The field login is well extracted but user is not