Hi guys,
I defined my source type as follow (in props.conf):
[anomalies]
DATETIME_CONFIG =
FIELD_NAMES = COL1, COL2, TIMESTAMP, COL4, COL5, KPI_ID ,COL7, COL8, COL9, COL10, COL11, COL12, COL13, ALARM
INDEXED_EXTRACTIONS = csv
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = AAAA
pulldown_type = 1
disabled = false
FIELD_DELIMITER = ,
TIME_PREFIX = .*?,.*?,
MAX_TIMESTAMP_LOOKAHEAD = 10
TZ = UTC
and my log file is this:
1,2,1411261200000,4,5,6,7,8,9,10,[11],12,13,[ALARM]
1,2,1411261200000,4,5,6,7,8,9,10,[11],12,13,[ALARM]
My problem is that I need to replace all the **[** and **]** characters with **"[** or **]"**
I need this pre-processing because in my log file I've also some lines in the following format:
1,2,1411261200000,4,5,6,7,8,9,10,[11,111,1111],12,13,[ALARM]
The field **[11,111,1111]** is my problem because Splunk split this filed in 3 different fields:
[11
111
1111]
How can I solve this problem?
Thank you!
↧