Any reason why my statement for props.conf isn't showing up as an extracted field?
EXTRACT-kls_error = (?(kls_error_*)\w+)
When I use just the rex in a search it gets the exact info that I need but when I am trying to create an extracted field it cannot
I believe you are missing group name like MuS suggested. Try this
EXTRACT-kls_error = (?<kls_error>kls\_error\_[\w]+)
I believe you are missing group name like MuS suggested. Try this
EXTRACT-kls_error = (?<kls_error>kls\_error\_[\w]+)
@diogofgm is correct, you need to put <NAME>
in your expression
For troubleshooting, you could try the extraction via rex
in the search bar to test it and see if it works
... | rex (?<kls_error>kls\_error\_[\w]+)
Does it work if you run it in an ad-hoc search and is it just the format or are you missing a capturing group name?