Hello All,
i'm trying to format the "json" formatted data with a custom sourcetype. below are my sample events
{"formatVersion":"1.0", "vendor":"BeyondTrust","product":"BeyondInsight","version":"6.3.1","agentid":"PBPS","severity":"0","eventid":"PBPS","eventname":"Requestor","eventdesc":"Request Response Expire","eventdate":"Nov 07 2017 21:31:11","sourcehost":"test-vm-1","sourceip":"127.0.0.1","eventsubject":"0127.0.00.001","eventtype":"0","user":"ssltest", "nvps" : {"clienthost":"test-vm-1", "eventseverity":"0", "logsystemid":"121", "logtime":"11/07/2017 21:31:11", "username":"ssltest", "userid":"2", "roleused":"Requestor", "objecttypeid":"7", "objecttype":"Request Response", "objectid":"14", "operation":"Expire", "failed":"False", "target":"localhost/btuser", "details":"ReleaseRequest #9"}}{"formatVersion":"1.0", "vendor":"BeyondTrust","product":"BeyondInsight","version":"6.3.1","agentid":"PBPS","severity":"0","eventid":"PBPS","eventname":"System","eventdesc":"Release Request Expire","eventdate":"Nov 07 2017 21:31:11","sourcehost":"test-vm-1","sourceip":"127.0.0.1","eventsubject":"0127.0.00.001","eventtype":"0","user":"Internal process","workgroupid":"1","workgroupdesc":"BeyondTrust Workgroup", "nvps" : {"clienthost":"test-vm-1", "eventseverity":"0", "logsystemid":"122", "logtime":"11/07/2017 21:31:11", "username":"Internal process", "userid":"0", "roleused":"System", "objecttypeid":"6", "objecttype":"Release Request", "objectid":"9", "operation":"Expire", "failed":"False", "target":"ManagedSystem=localhost ManagedAccount=btuser", "details":"ReleaseRequest #9, Ticket #, TicketSystem="}}
and props.conf is
"TIME_PREFIX=\"eventdate\":\"
TIME_FORMAT= %b %d %Y %H:%M:%S
LINE_BREAKER=([\r\n]+)\s*{"formatVersion
SHOULD_LINEMERGE=false
ANNOTATE_PUNCT=false
TRUNCATE = 0
KV_MODE=json
AUTO_KV_JSON=true"
i facing issue at line breaker can any one help me?
... View more