My sample events are like this
event 1
My name is Ethan [host="asw.pbrfinance.sdo.dgr.com"]
My address is 46e 91 st [host="asw.pbrfinance.sdo.dgr.com"]
my city is Atlanta [host="asw.pbrfinance.sdo.dgr.com"]
event 2
My name is Thomas [host="asw..sdo.dgr.cowq234wdwaf.mhh.com"]
My address is 996e 97 st [host="asw..sdo.dgr.cowq234wdwaf.mhh.com"]
my city is Atlanta [host="asw..sdo.dgr.cowq234wdwaf.mhh.com"]
I want to limit the host name coming in the output as only one entry and not multiple times . Is there anyway to do this in props .conf ? Please help me with a proper regex for this .
Expected output
event 1
My name is Ethan [host="asw.pbrfinance.sdo.dgr.com"]
My address is 46e 91 st
my city is Atlanta
The props.conf file is for inputs, not outputs. Splunk has no way of knowing at input-time if any particular value is a duplicate or not.
It's not clear how the one output event is derived from the two input events.
What problem are you trying to solve?