First you will want to make sure you assign a sourcetype to these logs. In your inputs.conf add sourcetype=distribution_log for example.
Next, in props.conf and transforms.conf, set up your field extractions as well as your host configuration.
Let's do the CSV fields first:
transforms.conf:
[extract-distribution-fields]
DELIMS = ";"
FIELDS = "DistroID","OS","Patch","EndPoint","State","Date","Time"
And apply the extraction in props.conf:
[distribution_log]
TRANSFORMS-extract-header = extract-distribution-fields
To replace the host value with EndPoint, in transforms.conf:
[extract-distribution-host]
DEST_KEY = MetaData:Host
REGEX = ^\d+;[^;].*;[^;].*;([^;].*);
FORMAT = host::$1
and again apply the extraction in props.conf:
[distribution_log]
TRANSFORMS-extract-host = extract-distribution-host
So all together your config files could look like this:
transforms.conf:
[extract-distribution-fields]
DELIMS = ";"
FIELDS = "DistroID","OS","Patch","EndPoint","State","Date","Time"
[extract-distribution-host]
DEST_KEY = MetaData:Host
REGEX = ^\d+;[^;].*;[^;].*;([^;].*);
FORMAT = host::$1
and props.conf:
[distribution_log]
TRANSFORMS-extract-header = extract-distribution-fields
TRANSFORMS-extract-host = extract-distribution-host
... View more