What is the problem you are trying to solve?
I am trying to parse the squid.conf file into a table. I can't actually post the conf file due to security reason.
sourcetype="conf_no_timestamp"
| rex "( P<rule_name>^http_access|acl|cache|always_direct|persistent_request_timeout|request_timeout|follow_x_forwarded_for)\s(?P<action>[\w]+)\s(?<server_group_name>.*)$"
| eval action=split(action," ")
| eval server_group_name=split(server_group_name, " ")
| where action like "allow"
| table rule_name, server_group_name, action
| append
[ search sourcetype="conf_no_timestamp"
| rex "(?P<rule_name>^http_access|acl|cache|always_direct|persistent_request_timeout|request_timeout|follow_x_forwarded_for)\s(?P<server_group_name>[\w]+)\s(?<dest>.*)$"
| eval server_group_name=split(server_group_name," ")
| eval dest=replace(dest, "dstdomain|src|any-of|dst|# ", ""), dest=replace(mvjoin(dest, " "), "/32", "|"), dest=split(dest, "|"), dest=split(dest, " ")
| where rule_name like "acl"
| table rule_name, dest, server_group_name]
| fillnull value="allow" action
| stats values(rule_name) as rule_name values(dest) as dest values(action) as action count by server_group_name
Can you share some sample events that you are trying to process?