Hi Shaun,

While there is no explicit processor that will carry this out in one
action, I believe we have the tools in place for you to accomplish the
functionality with our standard processors.

Not sure I have your exact case, but the way I approached this is through
the following sample data:

1,Session1,<other data>
2,Session1,<other data>
3,Session2,<other data>
4,Session4,<other data>

transforming to 3 resultant groupings:

1,Session1,<other data>
2,Session1,<other data>

3,Session2,<other data>

4,Session4,<other data>

I think SplitText[1] and ExtractText[2] with MergeContent[3] (optionally)
may be able to help you with your case.  SplitText would break incoming
data into a single event line.  ExtractText would be able to find your
session variable from the line and promote it to an attribute.  This
attribute could then be used for the 'Correlation Attribute Name' to group
each of the separate lines together.  I am a little unclear on the "want
multiple lines carrying a session variable to be group one session
variables line," but this probably gets us close if the interpretation was
incorrect.

Feel free to provide some sample data (I'm not familiar with the F5 log
format) or some additional details if this comes up a bit short.

[1]
https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi.processors.standard.SplitText/index.html
[2]
https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi.processors.standard.ExtractText/index.html
[3]
https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi.processors.standard.MergeContent/index.html

On Tue, Jun 21, 2016 at 9:48 AM, Shaun McAdams <[email protected]>
wrote:

> Hey users,
>
> I was sent a request for a splunk use case to lower some of the volume
> going to enterprise spunk.  Data is from an F5 (log). Easily enough they
> want some data dropped, however they also want multiple lines carrying a
> session variable to be group one session variables line.  I don’t see a
> implementation of such a combiner in Nifi itself and want to make sure I’m
> not overlooking something.  It appears I need to site-to-site this to a
> spark instance running the combiner. (as one possible solution for them).
> Wondered if anyone else had implemented such a use case.
>
> Thanks.
> --
> Shaun McAdams
>
> ------------------------------
> [image: Moser Consulting] <http://www.moserit.com>
>
> Web <http://www.moserit.com> | Twitter <http://j.mp/mosertwitter> |
> Facebook <http://j.mp/moserfacebook> | LinkedIn
> <http://j.mp/moserlinkedin> | Google+ <http://j.mp/mosergoogle>
> ------------------------------
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information or may otherwise be protected by law. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message and any attachment thereto.
>

Reply via email to