Hello,
I cannot configure multivalue field extraction. I have a following event. the last 4 lines Time Stamp and Message shall be extracted as separate values togather with value following the FROM: section on the first line. I used props.conf. and Transforms.conf (MV_ADD) however no use.
From: "Rnvr"
Subject: Control Center System Event
Date: Fri, 15 Jun 2018 18:14:07 +0400
Message-ID:
Return-Path: r@cou.ge
Received: from mail.cou.ge (LHLO mail.cou.ge) (192.168.222.10) by
mail.cou.ge with LMTP; Fri, 15 Jun 2018 18:13:58 +0400 (GET)
Received: from localhost (localhost [])
by mail.court.ge (Postfix) with ESMTP id 75C1519E007B
for ; Fri, 15 Jun 2018 18:13:58 +0400 (+04)
[2018-Jun-15 06:04:42 PM (GET)] Hardware event occurred (The controller write policy has been changed to Write Back.) on server
[2018-Jun-15 06:04:43 PM (GET)] Hardware event occurred (The virtual disk cache policy has changed.) on server
[2018-Jun-15 06:04:44 PM (GET)] Hardware event occurred (The virtual disk cache policy has changed.) on server
[2018-Jun-15 06:13:16 PM (GET)] Digital input 'Digital Input 1' deactivated.
↧