Hey Splunkers,
I have a question to throw out there regarding a true map reduce dilemma.
I have a props.conf statement that have evals that are interdependent on each other. I have noted that when placed into props, they strictly run independent of each other as a rule. How would I get them recognized in the first place? None of these are recognized fields in the data either.
I guess I could create an extract for the first field, but then what? The other fields still rely on the first.
I am stuck because we are trying to tackle this on the front side to get this into a data model so that
our root event constraint search can pick up all of the stuff I have reduced ahead of time.
Looking at the evals below, I have to somehow get the fields to be recognized. I am not sure where to turn.
[BLABLAsrc]
SHOULD_LINEMERGE = false
REPORT-inserts = extract_inserts
REPORT-updates = extract_updates
REPORT-discards = extract_discards
REPORT-deletes = extract_deletes
EVAL-GG_comp=replace(replace(source,"/ggs/ggsoft/dirrpt/",""),".rpt","")
EVAL-GG_last=substr(GG_comp,len(GG_comp),1)
EVAL-n=if(isnum(GG_last),"yes","no")
EVAL-GG_grp= if(n="yes",substr(GG_comp,1,len(GG_comp)-1),GG_comp)
EVAL-f1 = split(_raw,"Table")
transforms.conf
[extract_inserts]
REGEX = inserts:\s+(?\w*)
[extract_updates]
REGEX = updates:\s+(?\w*)
[extract_discards]
REGEX = discards:\s+(?\w*)
[extract_deletes]
REGEX = deletes:\s+(?\w*)
↧
