I have a SINGLE event in the following format (this is only part of the log):

/root/pegaruninit: Empty file
/root/eicar: Eicar-Test-Signature FOUND
/root/.bash_history: Empty file

This is part of an Antivirus log which is a "dump" of all the locations it scanned, and any viruses or signatures that it found.

What i want to do is create a REGEX and REPORT that extracts the "Eicar-Test_Signature" from the log, and place it in a field called "virus_found".

props.conf:

REPORT-extract_virus_clamav = extract_virus_clamav

transforms.conf:

[extract_virus_clamav]
REGEX = :\s(.+?)\sFOUND
FORMAT = virus_found::$1

Problem is that it is taking the FIRST ":" and taking everything from " Empty file/root/eicar: Eicar-Test-Signature" and placing THIS in the new field.

Is there a way to call a field extraction from ONE line at a time, from a multi line event??
EG: if the REGEX does not match the ":" AND the "FOUND" in one line, it continues to look through other lines??

I hope this makes sense!

Thanks!