The field extraction works for nearly all events, except for events where the line count is over 450. The returned value of the extraction for such events are about 27 lines long or 2500+ characters long. The field extractions ends with the following pattern (regex for security): \w+?\s|\s\d{9} and the pattern that follows the extracted field is =(\w+?.){5}\w+. I am aware that I should probably do this extraction and search time, but I have been overruled on that matter.

Here are some relevant configurations:

PROPS:

BREAK_ONLY_BEFORE = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3} \[
ADD_EXTRA_TIME_FIELDS = True
ANNOTATE_PUNCT = true
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE_DATE = true
DEPTH_LIMIT = 1000
FIELD_HEADER_REGEX = \[*
LEARN_MODEL = true
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MATCH_LIMIT = 100000
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 500
MAX_TIMESTAMP_LOOKAHEAD = 128
NO_BINARY_CHECK = true
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = true
TRANSFORMS-sesh_vars = sesh_vars
### VARIOUS TRANSFORMS FIELD EXTRACTIONS HERE
TRUNCATE = 50000
detect_trailing_nulls = false
disabled = false
maxDist = 100
category = Custom

TRANSFORMS:

[sesh_vars]
REGEX = (?m)Session\s+(?<sesh_vars>(.+\s*)+?)(?=Additional|$)
WRITE_META = true