There are actually 2 parts in my question
- i want to do an field extraction based on my existing field
i have read some of the questions on the answers, and found some possible solutions to my problem but was still unable to the it working correctly
i tried with n-level transforms.conf and props.conf way using delims as i think it should be an easy way to separate my field since the data is not fixed with the number of different sections it might have
another way my also be using rex but i also found out that i was not able to point out exactly where i want to extract my category
i listed out both of my source and my props.conf/transforms.conf example here
example.log
date,number,/我愛你/你愛他,last,xx12345
date,number,/我愛你/你愛他/他愛他,last,xx12345
date,number,/我愛你/你愛他/他愛他/他愛我,last,xx12345
props.conf
[example.log]
REPORT-sourcefields = source-fields
REPORT-sourcefield3 = source-field3
transforms.conf
[source-fields]
DELIMS = ","
FIELDS = field1,field2,field3,field4,field5
[source-field3]
SOURCE_KEY = field3
DELIMS = "/"
FIELDS = Category1,Category2,Category3,Category4,Category5,Category6
- when using sourcetye="example.log" | rex field=field3 (?^/{1}\w+) in my search command, i found that it will not recognize my Chinese characters when i use \w+ but it works well in my regex tool
anyone has answers to this problem? maybe my regex isn't correct, but i am really exhausted these days...unable to think straight at the moment
