I have filter applied in transforms.conf as follows
[send_to_heavy_forwarder]
CAN_OPTIMIZE = True
CLEAN_KEYS = True
DEFAULT_VALUE =
DEST_KEY = _TCP_ROUTING
FORMAT = heavy_forwarder
KEEP_EMPTY_VALS = False
LOOKAHEAD = 4096
MATCH_LIMIT = 100000
MV_ADD = False
RECURSION_LIMIT = 1000
REGEX = (logtype::ABC.*id::IDB-28123.*username::((?!-TEST).)*$)
SOURCE_KEY = _meta
WRITE_META = False
All I'm trying here is to filter sending logs If the following conditions satisfies
logtype=ABC, id=IDB-28123 and username value doesn't end with TEST
which is not working but it is working if I removed the username part in the regex.
It's not working before due to the negative look up I applies. If so, how can I filter those test user logs?
Any help would be great.
↧