Need the pileline to only process if logfile = X
has_field(“log_file_path”)
&& contains(to_string($message.log_file_path),“C\:\MyFolder\\logs\\LogFiles\\APPNAME\\logfile.log”)
Copied filter from search , added \ escapes. The Simulator shows event will not be processed
Hey @wkwood
I move this post to the correct catagory. I also need stuff 
Is this what you have?
rule "log_path"
when
has_field(“log_file_path”) AND contains(to_string($message.log_file_path), "C\:\MyFolder\\logs\\LogFiles\\APPNAME\\logfile.log")
then
set_field("my_log","<name_goes_here>");
end
Thanks GSmith!
yes/no. I just need to use the filter to verify I am working on the specific logfile, there are seceral in the target directory. I dont need to capture the log file name, just run a gonk on the contents.
rule “SiteCore-IIS-Logs”
when
has_field(to_string($message.log_file_path))
&& contains(to_string($message.log_file_path),“C:\inetpub\logs\LogFiles\W3SVC2\u_ex230512.log”)
then
let message = to_string($message.message);
//let parsed = grok(pattern:“%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:s_ip} %{WORD:cs_method} %{GREEDYDATA:cs_STUFF}” , value: message, only_named_captures: true);
let parsed = grok(pattern:“%{TIMESTAMP_ISO8601:datetime} %{NOTSPACE:s-ip} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{GREEDYDATA:cs-uri-query} %{INT:s-port:int} %{NOTSPACE:cs-username} %{NOTSPACE:c-ip} %{NOTSPACE:cs-useragent} %{NOTSPACE:referer} %{NUMBER:sc-status:int} %{NUMBER:sc-substatus:int} %{NUMBER:sc-win32-status:int} %{NUMBER:time-taken:int}”, value: message, only_named_captures: true);
set_fields(parsed);
end
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.