Hi community, I have the need to exclude AIX logs containing a certain field value. This is the regex the parser is using to extract vendor_action filed: ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+(?<pid>\d+)\s+(?<ppid>\d+)\s+(?<user>\S+)\s+(?<process>\S+)\s+(?<vendor_action>\S+)\s+(?<status>\S+) I'm trying to exclude events that contain vedor_action=FILE_Unlink and these are my conf file located on Heavy Forwarder: props.conf [aix:audit]
TRANSFORMS-null= setnull transforms.conf [setnull]
REGEX = ^\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\d+\s+\d+\s+\d+\s+\S+\s+\S+\s+FILE_Unlink\s+\S+
DEST_KEY = queue
FORMAT = nullQueue There are sample logs: the first one should be excluded while the second one no: Fri Jul 02 10:01:49 2021 34078844 8520050 dbloader rm FILE_Unlink OK Not supported
filename /tmp/CSI_ODS_M_SIA__INFO_RILANCIO.txt
Fri Jul 02 10:01:46 2021 34930828 4587668 root root lsvg FILE_Unlink OK
filename /dev/__pv17.0.34930828 When I restart spunk all logs are excluded, so I think something is wrong with my REGEX even if on regex101 seems to work fine. Any ideas? Thanks a lot Marta
... View more