Hi,
I'm reading data from a JMeter test. One field is either named Admin or Admin-0, Admin-1 or Admin-2. The field is named ACL
I want Splunk to index this only as Admin. As written above, there is a value Admin which should be kept but the others should be renamed to Admin (instead of Admin-0 etc.).
My props.conf already looks like this
[mySourceType]
REPORT-jmeter = REPORT-jmeter
EXTRACT-full = ^(?<timeStamp>[^,]*),(?<elapsed>[^,]*),**"(?<label>[^,]*),(?<ACL>[^"]*)"**,(?<responseCode>[^,]*),(?<responseMessage>[^,]*),(?:(?<targetHost>[^\s]*)\s(?<JMeterThread>[^,]*))?,(?<dataType>[^,]*),(?<success>[^,]*),(?<failureMessage>[^,]*),(?<bytes>[^,]*),(?<sentBytes>[^,]*),(?<grpThreads>[^,]*),(?<allThreads>[^,]*),(?<URL>[^,]*),(?<Latency>[^,]*),(?<IdleTime>[^,]*),(?<Connect>[^$]*)
Example data:
2019/08/21 14:52:14.222,2003**,"Upload Document TXT, User-0"**,302,OK,hostname 1-1,text,true,,1234,0,1,1,https://FQDN,2003,0,0
So the above props.conf already splits two strings into two fields.
May I ask someone to help me to achieve this?
Thanks in advance!
... View more