Hello i need filter fiel only on certain events, but this field uses in other message.
Samle events:
1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_cr = 56 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624
1508735662.348 d = a event = cup fI = "2017-10-22 17: 26: 37.000" serv = ru_1 sn = u_cl = 1 u_cr = 300 u_geo = RU u_id = 1256228 u_mn = 595 u_pvp = 0 u_sd = 600 u_st = 700 u_wd = 760 u_wl = 1
The field u_cr = 56 must be removed only from the first (event = vil). In the second (event = cup), it should not change.
After filter the first event looks like:
1508735029.189 d = a enm_val = 25440 event = vil gnr = w gnr_l = 91 serv = en_1 sn = o u_cl = 19 u_geo = RU u_id = 160370 u_mn = 2423432 u_pvp = 6433109 u_sd = 4101827 u_st = 1418129 u_wd = 2652063 u_wl = 91 vil = st vil_l = 16 win = 1624
I,m use regex transform:
In props.conf:
[compact]
TRANSFORMS-eventvil = vilcut
In transforms.conf:
[vilcut]
REGEX = (event=vil.*)u_cr=.[^ \?]*(.*)$
FORMAT = $1::$2
DEST_KEY = _raw
But field u_cr don't change. What am I doing wrong?
↧