Hi everyone, yesterday I spent most of the day battling through transforms.conf and props.conf - with lucrative results.
Today however, a slight anomaly occurred, please see below ... This works well for logs
****
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = \d+\/\d+\/\d\d\d\d\s\d+:\d\d:\d\d\s(AM|PM)\s(Error)\s
DEST_KEY = queue
FORMAT = indexQueue
****
[source::source-to-break]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = \d+\/\d+\/\d\d\d\d\s\d+:\d\d:\d\d\s(AM|PM)\s
[source::C:\\SplunkFwdTest\\*.log]
TRANSFORMS-set = setnull,setparsing
It worked brilliantly for just .log files, however when I placed in .zip files with .log files within, it skipped both the [setnull] and [setparsing] and just imported all the lines anyway - the BREAK_ONLY_BEFORE regex was respected to parse the events, I just found myself with thousands of unwanted events that were extracted (non-errors), it's almost as if there is a glitch with .zip files where the contents are treated differently, do I need to put another [source::whatever] section in the file to account for the zip files and their contents or is this a bug?
I was expecting it to work, I'm now running a test where the line looks as follows:
[source::C:\\SplunkFwdTest\\*.(log|zip)]
This should respect both .zip and .log files and discard anything that isn't an error - still waiting for results, but I may be doing this incorrectly even if it works?
Cheers
J.
↧
