Hi,
My data is something like below.
Although i have added the props.conf and transforms.conf and defined, It works well for only when say 20 lines are coming but not when 10 lines are coming. Its getting indexed correctly but with warnings and values are going to another sourcetype _too_small
Thu May 28 14:57:29 2020: Unknown trap (.bla bla) received from IP at:
Value 0: abcd
Value 1: efgh
Value 2: ijkl
Value 3: .mnop
Value 4: qrst
Value 5:
Value 6:
Value 7:
Value 8:
Value 9:
Value 10:
props.conf
---------------
[sourcetypename]
%a %B %d %H:%M:%S %Y
REPORT-Device = REPORT-Device
transforms.conf
----------------------
[REPORT-Device]
DELIMS = "\\n"
FIELDS = "field1","Device","IP","field4","field5","field6","field7","field8","field9","field10"
Do i have to not define these fields as we dont get 10 fields all the times sometimes less and sometimes more.
How to dynamically do this field extraction
↧