One of my data sources related to file-system data from a third-party product. The data is tab-delimited *without* field names. Extraction is achieved via **transforms.conf** as follows (field list truncated here):
[FileSystemData]
DELIMS="\t"
FIELDS="date","host","path",...
In combination with **props.conf**:
[application:filesystemdata]
KV_MODE = none
REPORT-application = FileSystemData
SHOULD_LINEMERGE = false
The problem I have is that sometimes the raw and extracted path data are different, i.e. the leading backslash is dropped for the **path** field:
_raw data: \\?\Volume{volume_guid}\path\to\file.txt
extracted: \?\Volume{volume_guid}\path\to\file.txt
Can anyone explain why this is happening and how I should stop it? Should I try to "re-parse" the data with a regex extraction in **props.conf**?
↧