Im trying to get search time field extractions (or index time) on the following log format:
2014-06-11T09:32:45.545-07:00 - INFO
Seems like fairly straightforward key-value extraction, try this:
REPORT-kv = key_colon_value
REGEX = ^(?<_KEY_1>\w+):(?<_VAL_1>.*)$
Make sure my use of start- and end-of-line anchors works correctly without specifying any flags such as (?m) or (?s), I frequently mix those up 🙂
Try this as transform REGEX.
Do i not need something extra to have the : appear as a =
So ProductType:PACKAGE would be ProductType=PACKAGE
interesting, it does not appear to be working. Can you expand on the anchor points?
Maybe i am mixing them up!