The following are my transforms.conf and props.conf in my cluster master which are sending all the logs for the below search
logtype=SAT (id="ABC-1" OR id="ABC-2")
transforms.conf
[send_to_heavyforwarder]
SOURCE_KEY = _meta
REGEX = (logtype::SAT.*id::(ABC-1|ABC-2))
DEST_KEY = _TCP_ROUTING
FORMAT = heavyforwarder_output
props.conf
[default]
TRANSFORMS-heavyforwarder= send_to_heavyforwarder
Now, I want to filter the events when the below search condition met
logtype=SAT id="ABC-2" username="anything that ends with **-TEST**"
In order to filter the events that match the above condition how to modify my REGEX in transforms.conf. I think I need to use to something like negative look-back but not sure what could be my new syntax that filters the events when username ends with "-TEST"
Any help would be great.
↧