On 6/20/2011 6:27 AM, John P. Rouillard wrote: > > Also for other seeing this thread in the mailing list, one other way > of handling it would have been to preprocess one of your logs using > something like sed or perl to convert your uppercase names to > lowercase (or the lowercase to uppercase). But this moves some of the > complexity outside of SEC which may or may not be desirable.
I'll take that as another opportunity to pitch my idea for a new rule type -- Transform. This would retain all attributes of the input (source, etc.), but you can replace the original input with whatever you choose, e.g.: type=Transform continue=takenext ptype=RegExp pattern=^(\S+): (.*) replace=\L$1\E: $2 You could sorta get away with using event for this, but that puts the event back at the top of processing (and loses the source), whereas this would change the input only for all rules following the Transform rule -- no re-injection. The continue=TakeNext is implied (not continuing would be kinda silly :)), but I put it in to be clear anyway. I can think of various semantics here. For example, no new rule type, but a new 'replace' action instead that works just like event, but retains the source and does not reinject at the top of the ruleset. This would also avoid the awkwardness of having to change the original even solely to avoid it matching recursively. Regards, Mark ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
