About your older comment: First up, I'm not familiar with REPORT-fields and I have no time to google right now, but did it work at all? Did the Eventtype field get populated with numbers? I wouldn't be surprised if the other fields didn't get populated as I think there is an issue in your regexes. For instance in:
[schema_14]
REGEX = ^(14)([^,]*)
FORMAT = Eventtype::$1 timestamp::$2 timestamp2::$3 date::$4 pid::$5 cmdno::$6 user::$7 client::$8 func::$9 host::$10 prog::$11 version::$12 args::$13 filesAdded::$14 fileUpdated::$15 filesDeleted::$16 bytesAdded::$17 bytesUpdated::$18 bytesDeleted::$19
Your regex will match the 14 at the start of the line and assign that to $1, which then should go into Eventtype. But after the 14, there is a comma in the data, therefore $2 will be empty. And of course there is no $3, $4, etc... I believe the regex line should be something like:
REGEX = ^(14)(?:,([^,]*)){18}
You basically need to match the comma as a separator and then repeat the whole comma-followed-by-some-non-comma-chars pattern as many times as there are other fields.
Now, about your second comment, this is closer to the kind of things I've seen before. If I'm not mistaken this should set the sourcetype field to "command_log" if the event line starts with 7. Did that work? If yes, then you're mostly there, as you found a way to separate your initial data into bunches with the same schema. Just create as many TRANSFORMS as there are schemas. The next step is to define the format of each sourcetype somewhere. I'm not sure how to do that but that's a much simpler issue than your initial problem.
I appreciate I'm not being extremely helpful here... I'm afraid it's the blind leading the blind! Don't hesitate to comment back. Hopefully you'll be able to make some progress...
... View more