Hi,
I am looking to extract a field from the raw event using the below regex:
.*<name>(?<parameter_name>[^\<]+)
It should extract a string between 2 XML tags.
The extraction is working fine using rex command, when added to the Field extractions the extraction is not happening.
The configuration is defined in the Search and reporting app with Global read permission:
etc/apps/search/local/props.conf
[sourcetype]
EXTRACT-parameter_name = .*<name>(?P<parameter_name>[^<]+)
EXTRACT-parameter_value = .*<value>(?P<parameter_value>[^<]+)
Note: other extractions are present in the same file and are working well
Any ideas what could be the catch here?
Thanks
Earlier the field was not being populated to "Interesting fields", but after narrowing down the search and piping to a table I am able to see it correctly.
For the record I am still using the same initial configuration as quoted in the question, regex in props.conf on the Search Head.
I am still not sure why the field cannot be seen when I search only for the sourcetype, even though it exists in around 20% of the events.
Thanks everyone for your help.
If you post a sample it might help
correct, the tag names are name and value.