Hi,
I'm forwarding from an proxy logs using NX-log and nxlog is using string "#011" to separate fields, like that:
May 29 20:28:55 PROXY - 10.147.23.21#011anonymous#011Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36#0112017-05-29#01118:28:44#011WBCNGTY02#011-#011login.splunk.com#01154.191.103.192#011443#0110#0117408#0112032#011SSL-tunnel#011-#011login.splunk.com:443#011-#011Inet#0110#011Navigate#011Req ID: 05543040; Compression: client=No, server=No, compress rate=0% decompress rate=0%#011Internal#011Internal#0110x8#011Allowed#011-#011-#011-#011-#011Allowed#011Malware Inspection Disabled for the Matching Policy Rule#011Unknown#011-#0110#011-#0110#011-#011-#011Feature disabled#011Web Proxy#011login.splunk.com#0119958#015
I've created in my transforms.conf the following:
DELIMS = "\#"
FIELDS = "c-ip","cs-username","c-agent","date","time","s-computername","cs-referred","r-host","r-ip","r-port","time-taken","sc-bytes","cs-bytes","cs-protocol","s-operation","cs-uri","cs-mime-type","s-object-source","sc-status","rule","FilterInfo","cs-network","sc-network","error-info","action","AuthenticationServer","NIS_scan_result","NIS_signature","ThreatName","MalwareInspectionAction","MalwareInspectionResult","UrlCategory","MalwareInspectionContentDeliveryMethod","MalwareInspectionDuration","MalwareInspectionThreatLevel","internal-service-info","NIS_application_protocol","NAT_address","UrlCategorizationReason","SessionType","UrlDestHost","s-port"
And it works but it's not ok because every field value has at its begining the string "011".
Is there a way to specify a field delimiter that is not a single character but a string?
I've tried the following
DELIMS = "\#011"
FIELDS = "c-ip","cs-username","c-agent","date","time","s-computername","cs-referred","r-host","r-ip","r-port","time-taken","sc-bytes","cs-bytes","cs-protocol","s-operation","cs-uri","cs-mime-type","s-object-source","sc-status","rule","FilterInfo","cs-network","sc-network","error-info","action","AuthenticationServer","NIS_scan_result","NIS_signature","ThreatName","MalwareInspectionAction","MalwareInspectionResult","UrlCategory","MalwareInspectionContentDeliveryMethod","MalwareInspectionDuration","MalwareInspectionThreatLevel","internal-service-info","NIS_application_protocol","NAT_address","UrlCategorizationReason","SessionType","UrlDestHost","s-port"
But that seems not to work.
May be there is another way of doing what I need.
Any help?
Thanks.
... View more