Hello, I was trying to use REGEX command within props/transforms conf files to extraction fields, but field extraction is not working. Two sample events and my props/transforms conf files are given ...
See more...
Hello, I was trying to use REGEX command within props/transforms conf files to extraction fields, but field extraction is not working. Two sample events and my props/transforms conf files are given below. Any recommendations will be highly appreciated. Thank you so much. props.conf [mysourcetype] SHOULD_LINEMERGE=false LINE_BREAKER = ([\r\n]+) TIME_PREFIX=^ TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N MAX_TIMESTAMP_LOOKAHEAD=24 TRUNCATE = 9999 REPORT-fieldEtraction = fieldEtraction transforms.conf [fieldEtraction] REGEX = \{\"UserID\":\"(?P<UserID>\w+)\","UserType":\"(?P<UserType>\w+)\","System":\"(?P<System>\w+)\","UAT":\"(?P<UAT>.*)\","EventType":\"(?P<EventType>.*)\","EventID":"(?P<EventID>.*)\","Subject":"(?P<Subject>.*)\","EventStatus":"(?P<EventStatus>.*)\","TimeStamp":\"(?P<TimeStamp>.*)\","Device":"(?P<Device>.*)\","MsG":"(?P<Message>.*)\"} Samples Events 2023-10-03T18:56:31.099Z OTESTN097MA4513020 TEST[20248] {"UserID":"8901A","UserType":"EMP","System":"TEST","UAT":"UTA-True","EventType":"TEST","EventID":"Lookup","Subject":"A516617222","EventStatus":"00","TimeStamp":"2023-10-03T18:56:31.099Z","Device":" OTESTN097MA4513020","Msg":"lookup ok"} 2023-10-03T18:56:32.086Z OTESTN097MA4513020 TEST[20248] {"UserID":"8901A","UserType":"EMP","System":"TEST","UAT":"UTA-True","EventType":"TEST","EventID":"Lookup","Subject":"A516617222","EventStatus":"00","TimeStamp":"2023-10-03T18:56:32.086Z","Device":" OTESTN097MA4513020","Msg":"lookup ok"}