Hi,
Searching for assistance here if possible.
I have log files that are created by using the 'SET' command piped into a file. (exporting environment variables) in the example shape below -
ALLUSERSPROFILE=C:\ProgramData
ANDROID_SDK_HOME=C:\Android
APPDATA=C:\Users\JamesBond\AppData\Roaming
ChocolateyInstall=C:\ProgramData\chocolatey
And have an ingest pipeline noted below -
{
"kv": {
"field": "_source.message",
"field_split": "\" \"",
"value_split": "=",
"ignore_missing": true,
"strip_brackets": true,
"description": "Equals delimited data"
}
}
I'm attempting to record the fields in a timeline - for example, what date/time 'APPDATA' was for a certain user (the field value).... (I hope this description makes sense!)
Currently I'm only seeing the last line in the log as 'message' data, no other fields are being parsed and I'm stumped as to where to look next.
Any tips would be gratefully appreciated!