Can you try this?
TIME_FORMAT=%b %d %Y %H:%M
REGEX = <([^\>]*)>([^\<]*)
FORMAT = $1::$2
This will extract every field like this:
its also extracting the _timestamp from the field you already have in you data. Does you XML have multiple tags? With this configs every becomes a separate event making the data more readable.
Thats great thanks. We have one issue that the username can be a multi value entry. This is because support may be remotely logged onto same host so could have 1 2 or 3 entries of username. The one we are interested in is the last value so could be:
username= a123456 b123456 c123456
username= b123456 c123456
Any way of exluding the others and ensuring the last one is always picked up in query?
You can use the rex command to try that the extraction is correct, and then add to props.conf
Use this command in search to create the field user
Hope i help you
The username field can contain sometimes the first character of the users ID is uppercase, and other times they are lower case. In other cases, an engineer logs in for remote assistance and two or three sets of IDs where the right most ID is the one we want.