I came across a very strange problem:
I have a transformation field:
[record]
FORMAT = event_type::Record_DVR dvr_start_time::$1 dvr_end_time::$2 dvr_sid::$3 dvr_freq::$4
REGEX = RecordingManager.record(LocatorRecSpec<(\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} EST\d+EDT \d{4}) to (\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} EST\d+EDT \d{4}) OcapLocator[SId=([-|\d]) freq=([-|\d]) prog#=([-|\d]) ([\d|\w])]>)
And a search:
sourcetype=Message event_type=Record_DVR
This is doesn't work.
However If i change
event_type::Record
and
event_type=Record
It can work.
if I change both to Record_Dvr
still doesn't work
if change to record,
it works again!
I try a lot of ways, but the result is also very strange.
