It is not performing as expected. Here is what we are trying to accomplish. The log file is a csv and we need to filter out all the events / data that is under 1400 bytes which is found in field 31.
Sample log:
2016/02/25 19:14:20,010401000240,TRAFFIC,start,1,2016/02/25 19:14:20,0.1.2.3,4.5.6.7,8.9.10.11,12.13.14.15,Outbound Services,,,dns,vsys1,TRUST,UNTRUST,ethernet1/18.80,ethernet1/17.1000,All Syslog Servers -Includes VZ,2016/02/25 19:14:20,133312,1,63869,53,60901,53,0x400000,udp,allow,96,96,0,1,2016/02/25 19:14:21,0,any,0,13810046794,0x0,255.255.0.0-255.255.255.255,US,0,1,0,n/a
The current configuration is:
props.conf
[source::///var/log/proxy/paloalto/palo.log]
TRANSFORMS-null = setnull,setnullindex
transforms.conf
[setnull]
REGEX = ^(?:[^,]*?,){31}(\d{1,3}|1[0-3]\d{2}|1400)
DEST_KEY = queue
FORMAT = nullQueue
[setnullindex]
SOURCE_KEY = _MetaData:Index
REGEX = plvpalo
DEST_KEY = queue
FORMAT = nullQueue
... View more