Hello,
I try to explain better.
I want an index-time field called "Sp".
My inputs.conf is:
[monitor:///log/logServer/file.log]
disabled = false
index = test01
sourcetype = file-test
My props.conf is:
[file-test]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE=false
pulldown_type = 1
TRANSFORMS-filter_logs = extract_fields-test
My transforms.conf is:
[extract_fields-test]
REGEX = (?\d+-\d+-\d+\s+\d+:\d+:\d+,\d+)\s+(?\w{5})(?\w{1})_
FORMAT = Ts::"$1" Sp::"$2" Tsp::"$3"
WRITE_META = true
My log File is:
09-05-2018 10:12:15,123 ABC12I_AAA
09-05-2018 10:12:15,123 ABC12I_BBB
09-05-2018 10:12:15,123 ABC12O_CCC
Index time extration creates the Key "Sp" (for the 3 events) but I am not able to search using Sp=ABC12 without wildcards.
I want to create an index-time field called Sp and I want to be able to search the field without wildcards
Thanks
... View more