Hello,
I have logs coming from one of my applications were the events are structured differently. I want to extract "user" and "action" from these events, but the logs don't have a consistent pattern. I have written 3 different extractions for "user" and "actions", but when I use them in props.conf, not all the values are extracted. How can I extract these fields if they come in the events, but at different places?
My regex is mentioned below:
props.conf
[mysourcetype]
EXTRACT-user=^(?:[^\-\n]*\-){4}\d+>\s+<\w+\s+(?P[^ ]+)
EXTRACT-user=user:(?P\S+)(\s|\>)
EXTRACT-user=username\s(?P\S+)>
EXTRACT-action=\swas\s(?Plogin)\s
EXTRACT-action=\<(?P\S+)\ss
EXTRACT-action=\](?P\S+)\sJoined
I have also tried using transforms.conf, but no luck. Request your help.
↧