The following gives me exactly what I want
host=****** Failed_Reason minutesago=15 | rex "\>(?<Failed_Reason>.*?)\<"
but when I use the regex to build a field extraction I cannot get a result even after restarting the indexer. The search output is the same.
The field extraction format is
Any idea why this is not working?
Have yoy tried the field extractor app? It will generate a regex for you.
It is not clear what you're asking, is this for an index time extraction?
1) Sounds like auto key=value extraction may be giving you a helping hand.
2) Your regex mentions > and < as marker characters, yet none are visible in your sample message.
3) When you move a regular expression from the search bar into transforms.conf, you'll want to remove the enclosing double-quotes.