I have two applications, these can exist in preprod or live environments. I want to have a field on logs from both applications called "environment", which is set to LIVE if it is in the live environment.
Using field extractions I am able to extract whether a URI is from a live or preprod server for Application A by extracting LIVE when it appears in the URI and putting it into a field. This is easy as LIVE URIs include the string LIVE.
regex to match start of URI... (?P(?i)(LIVE))
For Application B it is different, PREPROD URIs are marked PREPROD, and LIVE versions are unmarked. However, for consistency between applications, I'd like to put a live field on to the live URIs. As there is no longer a 'LIVE' string to extract from the live URIs (live URIs for this app are shown by a lack of PREPROD), I'm not sure how to do this with a regex field extraction. I need to basically detect logs which do not contain preprod, and create a new field on them, named environment, populated with the value 'live'.
... View more