I get lots of data from various systems via syslog. One of my systems sends me data that looks like this
HEADERTEXT: name=value;name=value;name=value.......
I have a generic transform written to extract the name, value pairs. The problem is, I have other data that looks like this
SOMEOTHERHEADER: http://www.blah.com/servlet?name=value;name=value
What I am finding is that the name/value extract from my first transform is getting applied to data from the second as well. WHat I would like todo is, somehow in the props.conf say
"Only apply this stanza if this RE is matched". I would then put the RE as "HEADERTEXT".
Anyone have any pointers on if something like this is possible ? I can't put HEADERTEXT in the RE in the transform.conf as it's a recursive RE for extracting multiple kv's/
Here are some samples, plus my matching RE's from transform.conf. As you can see, the User-Agent in the first example (DATA1) actually causes the data to match both REGEX1 and REGEX2, causing the data to be tagged with both sourcetypes.
DATA1
Aug 2 21:54:32 10.1.2.3 tmm[1853]: Rule syslog_http : HTTP,10.1.2.4:5804,vs_https_oursite,4.4.4.3:49788,oururl.com,/somepath,10.1.2.5:7001,302,2,http://somewhere.gov/,GET,'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; aff-kingsoft-ciba; staticlogin:product=cboxf09&act=login&info=ZmlsZW5hbWU9UG93ZXJ3b; SE 2.X)',''
REGEX1
tmm[\d+]: Rule syslog_http <(?:HTTP_(?:RESPONSE|REQUEST)|LB_FAILED)>: (?:HTTP|HTTP-ERROR|LB-ERROR),([\d|.]+):([\d]+),([\w]+),([\d|.]+):([\d]+),([\w\d:.-]+),([^,?]+)(\?[^,]),(?:([\d|.]+):([\d]+))?,([\d]+),([\d]),([^,]),([^,]),'([^,])','([^,]*)'
DATA2
Aug 2 01:30:01 10.120.17.247 user:01:30:02.019 INFO SummaryData - SUMMARY:name1=value1;name2=value2;name3=value3;
REGEX2
([_a-z]+)=([^;]+);
... View more