The following are my transforms.conf and props.conf in my cluster master which are sending all the logs for the below search
logtype=SAT (id="ABC-1" OR id="ABC-2")
[send_to_heavyforwarder] SOURCE_KEY = _meta REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) DEST_KEY = _TCP_ROUTING FORMAT = heavyforwarder_output
[default] TRANSFORMS-heavyforwarder= send_to_heavyforwarder
Now, I want to filter the events when the below search condition met
logtype=SAT id="ABC-2" username="anything that ends with -TEST"
In order to filter the events that match the above condition how to modify my REGEX in transforms.conf. I think I need to use to something like negative look-back but not sure what could be my new syntax that filters the events when username ends with "-TEST"
Any help would be great.
try this ?
Hi @mayurr98 I actually want to exclude any logs which contain "-TEST" at the end of username. The above answer will work if I wanted to include those logs.
I am trying to find the right syntax for excluding those something like nagative look-back's.
Thanks @mayurr98 . It almost worked great but what could be the regex if my username values are as follows
Among the above 4 examples. Now, I just want to filter the username value's that ends with -TEST