The following are my transforms.conf and props.conf in my cluster master
transforms.conf
[send_to_heavyforwarder]
SOURCE_KEY = _meta
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))
DEST_KEY = _TCP_ROUTING
FORMAT = heavyforwarder_output
props.conf
[default]
TRANSFORMS-heavyforwarder= send_to_heavyforwarder
Which is used to send the logs to a heavy forwarder for only the fields in regex condition specified in transforms.conf matched which is below
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))
Now I need to send one more id (whose field value is ABC-3) to the heavyforwarder but instead of sending the whole logs to heavyforwarder I need to exclude sending logs to heavyforwarder when an username field ends with string "TEST". For that I have modified my regex in transforms.conf as below
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) | (logtype::SAT.*id::ABC-3.*username!::[a-zA-Z]{2,3}-+.*?-TEST)
Could anyone verify the above regex and confirm me if I used the right condition to satify the requirement. If not, what could be the proper REGEX syntax to be applied for my transforms.conf.
Any help could be great.
Note :- username is also a meta data field.
Try this (using negative-lookahead
😞
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))
See here for validation:
https://regex101.com/r/Vehygk/1
Try this (using negative-lookahead
😞
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))|(logtype::SAT.*?id::ABC-3.*?username::(?![^:]+\-TEST))
See here for validation:
https://regex101.com/r/Vehygk/1
If you need to validate your regex try using www.regex101.com
You can post you expression and some logs and you get to see what is captured
Hope this helps
I am good with the Regex. I have tested it and it worked. I'm trying to see if my syntax under the transforms.conf is correct especially I need to use a not operator and so for that I have used "!". Wanted to check if that's the correct syntax format. @diogofgm