My head hurts from banging it on Google. My Heavy Forwarder is receiving events that contain a significant about of content that we don't want or need. These events are standard MS message tracking log files that are FILLED with XML content within random messages. I am able to drop all of the XML, but also need to drop a portion of the message: https://technet.microsoft.com/en-us/library/bb124375%28v=exchg.150%29.aspx. The messages are comma delimited with ~ 26 fields (no field names) and additional XML content.
I use the following to define everything after the 21st comma as "interesting"
SEDCMD-mail = s/^(?:[^,]*\,){21}([\s\S]*)/-/g
with the hopes everything after is replaced with a "-" (or anything). Problem is, the SEDCMD takes everything before and after.
I can use this one to define everything within the XML but this leaves too much of the message to be indexed
SEDCMD-mail = s/
↧
