@mayurr98 So good thanks for the quick help, this is working for me.

am getting the all fields separated from raw events except from Server

and also need STANZA same thing need to fix this automatic in props.conf and transforms.conf in the app

Server should be there as well, you can search for that field in all fields.

Transforms.conf 

[myplaintransform]
REGEX=\s([^\:]+)\:\s+([^\,]+)
FORMAT=$1::$2

props.conf

[sourcetype_name]
REPORT-a = myplaintransform

Accept/Like if it works for you.

@mayurr98 

Here is my search that I want to put into props & transform.

index=nsips_horizon sourcetype="vmware:uag:esmanager" 
| rex "^(?:[^ \n]* ){3}(?P<UAG_hostname>[a-z]+\d+)\s+(?P<app_name>[^:]+)[^:\n]*:\s+\[(?P<thread_id>\S+?)\](?P<log_level>[^ ]+)\s+(?P<file_name>[^\[]+)\[(?P<function_name>[^:]+):\s+(?P<line_num>[^\]]+)[^\[\n]*\[(?P<client_IP>[^\]]+|.?)\]\[(?P<username>.+|.?)\]\[(?P<session_type>.+|.?)\]\[(?P<session_id>[^\]]+)[^\]\n]*\]\s+\-\s+(?P<message>.+)"

here is sample log:

Sep 9 05:36:55 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[start: 355][][][][] - Edge Service Manager : started
Sep 9 05:36:54 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[stop: 1071][][][][] - Edge Service Manager : stopped

based on what I read the props.conf 

[vmware:uag:esmanager]
REPORT-esmanager = esmanager

Transform.conf

[esmanager]
REGEX = ^(?:[^ \n]* ){3}(?P<UAG_hostname>[a-z]+\d+)\s+(?P<app_name>[^:]+)[^:\n]*:\s+\[(?P<thread_id>\S+?)\](?P<log_level>[^ ]+)\s+(?P<file_name>[^\[]+)\[(?P<function_name>[^:]+):\s+(?P<line_num>[^\]]+)[^\[\n]*\[(?P<client_IP>[^\]]+|.?)\]\[(?P<username>.+|.?)\]\[(?P<session_type>.+|.?)\]\[(?P<session_id>[^\]]+)[^\]\n]*\]\s+\-\s+(?P<message>.+)
FORMAT = $1::$2

Right?  What's $1::$2 doing?

@mayurr98 No i already saw i guess why its not taking up is there is a space before the Server field you can see the sample raw data below

04-07-2022 00:44 Server: bug, Userid: monika, Alias: bugmonika, Return Code: 400, Password Len: 16, Host: lhplc3216, Execution ID: oracle, Directory: /bug/lds/oracle/rdbms/dbh_7347285/dbs Program: bugeco.exe, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0

I have updated the transform to accumulate the server field:

The raw event that you gave , it should work now.

https://regex101.com/r/dL6JPE/1

Hi as you provided this is not working for me, and the regex 101 link which you provided its on working only on that not in Splunk query.

And the transforms.conf and props.conf is also not working.

could you please give me below details:

1) please share more sample raw events

2) share the props and transforms that you have wrote

3) where did you write the props and transforms?

4) have you restarted splunk instance after updating props and transforms ?

1) please share more sample raw events

04-08-2022 06:31 Server: O85XDC7, Userid: PKDPRW8, Alias: o34xda3pkspaw8, Return Code: 400, Password Len: 8, Host: hello1625.winki.com, Execution ID: ccms, Directory: /usr/local/scripts, Program: CoWXatrix.jar, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0

04-08-2022 06:31 Server: O87XDC0, Userid: TOWDHU1, Alias: o73xda3sppklxl, Return Code: 400, Password Len: 25, Host: hello1625.winki.com, Execution ID: ccms, Directory: /usr/local/scripts, Program: CoWXatrix.jar, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0

04-08-2022 06:31 Server: O85XDC7, Userid: PKDPRW8, Alias: o34xda3pkspaw8, Return Code: 400, Password Len: 8, Host: hello1625.winki.com, Execution ID: ccms, Directory: /usr/local/scripts, Program: CoWXatrix.jar, Elapsed Time: 0, Bypass Cache: false, Type: Unix, Version: 2.0

2) share the props and transforms that you have wrote
We tried in all different ways but no luck

3) where did you write the props and transforms?

In Search Head Deployer

4) have you restarted splunk instance after updating props and transforms ?

Yes, we restarted if any changes done we do always restart and bundle push as well

Actually this is we are taking sample events from Prod and uploading in UAT there we are trying. And index we created in indexer for this custom app

Hi for the search to work you would have to write this :

<your base search>
| extract kvdelim=":" pairdelim="," 
| rex "Server\s*:\s*(?<Server>[^\,]+)"

props.conf and transforms.conf is best to put on the heavy forwarder if you have one or the indexing layer.

The regex that I provided is for transforms only and it works well for all the events that you have given.

https://regex101.com/r/0rdToo/1

use below configuration on HF or Indexers.

props.conf
[ssc_cloakware]
REPORT-extractions = field_extractions
 
transforms.conf
[field_extractions]
REGEX = \s([^\:]+)\:\s+([^\,]+)
FORMAT = $1::$2

Restart the instance after editing the configuration. 

I am gonna test this configuration on my lab instance. meanwhile you do the same.

Hi Sorry for late responding, as you said i did same its working in the props.conf and transforms.conf but except the Server field in the logs, can you please share the extract field for the Server for transforms.conf

Hi, please update for this

Any update by chance