Hi,
I have a feed where the fields are separated by brackets (<>). I have a transforms.conf that extracts the fields automatically:
REGEX = <([^\/][^>]+)>(.*?)<\/[^>]+>
FORMAT = $1::$2
MV_ADD = true
Unfortunately, the fields are all uppercase. I don't see any way to make the fields lowercase, so I've started creating aliases, using FIELD_ALIAS. We need to do this so that they are caught by our ES rules. I also need to do a transforms to map the values appropriately.
Here is a sample field: "Allow
I want to create an alias with the field name to be "action" and a transform that makes the value "allowed". I get the new field, but the transform is not working. Here's what I have configured:
props.conf:
FIELDALIAS-action = ACTION as action
transforms.conf:
[forcepoint_xml]
REGEX = <([^\/][^>]+)>(.*?)<\/[^>]+>
FORMAT = $1::$2
MV_ADD = true
[ACTION]
REGEX = (Allow|Permit)
FORMAT = ACTION::allowed
Any suggestions?
↧