Hi @PickleRick - Yes i did the changes accordingly. Now i am facing below 1. Able to get the expected results running without sourcetype, but while running the search with sourcetype=nix:messages O...
See more...
Hi @PickleRick - Yes i did the changes accordingly. Now i am facing below 1. Able to get the expected results running without sourcetype, but while running the search with sourcetype=nix:messages OR sourcetype=fortigate_traffic 0 results returning. 2. the host extraction from the source which was there earlier now it's not working props.conf ### to send traffic and non-traffic events ### [source::.../TUC-*/OOB/TUC-*(50M)*.log] TRANSFORMS-routing = route_nix_messages, route_fortigate_traffic TRANSFORMS-sourcetype = set_nix_sourcetype_if_not_traffic, set_fortigate_sourcetype_if_routed ### to extract host from source ### [nix:messages] TRANSFORMS-set_host = set_custom_host [fortigate_traffic] TRANSFORMS-set_host = set_custom_host transforms.conf ### to send traffic and non-traffic events ### [route_nix_messages] DEST_KEY = _MetaData:Index REGEX = .* FORMAT = os_linux [set_nix_sourcetype_if_not_traffic] DEST_KEY = MetaData:Sourcetype REGEX = .* FORMAT = nix:messages [route_fortigate_traffic] DEST_KEY = _MetaData:Index REGEX = (?i)\b(traffic|session|firewall|deny|accept)\b FORMAT = nw_fortigate [set_fortigate_sourcetype_if_routed] DEST_KEY = MetaData:Sourcetype REGEX = (?i)\b(traffic|session|firewall|deny|accept)\b FORMAT = fortigate_traffic ### to extract host from source ### [set_custom_host] REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,5})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log FORMAT = host::$1 DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Source