Hi There,
I am trying to parse a log that an application is dumping in the windows event log. the issue is that the extraction made by the standard WinEvent transforms does not consider that there is more than 1 word before and after the delimiter =
example of the log:
20140504153716.000000
Category=0
CategoryString=NULL
EventCode=104
EventIdentifier=-2147483544
EventType=2
Logfile=Application
RecordNumber=106325
SourceName=TestApp
TimeGenerated=20140504123716.000000-000
TimeWritten=20140504123716.000000-000
Type=Warning
User=DOM\admin_app
ComputerName=SPE.DOM.org
wmi_type=WinEventLog:Application
Message=A container violation has been found
Date/time of event = 2014-05-04 15:37:16
Event Severity Level = Warning
File name = \\FS\UNC\Groups\OTS\MAD\File_Test.xlsx
File status = NOT REPAIRED
Component name = TEMP_FILE_01810668
Component disposition = NOT REPAIRED
Container Violation = Encrypted container
Client SID = S-1-5-21-3273526520-21644477317230-11231323
Client Computer = TestComp1
Client IP = 10.12.13.15
Scan Duration (sec) = 0.000
Connect Duration (sec) = 0.031
Server IP address = 10.56.68.45
Uptime (in seconds) = 518661
The extraction doesn't take all before and after the delimiter i.e.
"status = NOT" instead of "File Status = NOT REPAIRED"
Transforms looks like this:
[wel-message]
REGEX = (?sm)^(?<_pre_msg>.+)\nMessage=(? .+)$
CLEAN_KEYS = false
[wel-eq-kv]
SOURCE_KEY = _pre_msg
DELIMS = "\n","="
MV_ADD = true
[wel-col-kv]
SOURCE_KEY = Message
REGEX = \n([^:\n\r]+):[ \t]++([^\n]*)
FORMAT = $1::$2
MV_ADD = true
Props looks like this:
[TestWinMV]
BREAK_ONLY_BEFORE=^\d+
TIME_FORMAT=%Y%m%d%H%M%S.%3N
BREAK_ONLY_BEFORE_DATE=false
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
Thanks in advance,
Naor
... View more