Hi all, I want to extract fields from a custom log format. Here's my transforms.conf: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(....
See more...
Hi all, I want to extract fields from a custom log format. Here's my transforms.conf: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.*)
FORMAT = name::$1 version::$2 message::$3
DEST_KEY = _meta This regex is supposed to extract the following from a log like: Jul 27 14:10:05 1.2.3.4 1 2025-07-27T14:09:05Z QQQ123-G12-W4-AB iLO6 - - - iLO time update failed. Unable to contact NTP server. Expected extracted fields: name = QQQ123-G12-W4-AB version = iLO6 message = iLO time update failed. Unable to contact NTP server. The regex works correctly when tested independently, and all three groups are matched. However, in Splunk, only the first two fields (name and version) are extracted correctly. The message field only includes the first word: iLO. It seems Splunk is stopping at the first space for the message field, despite the regex using (.*) at the end. Any idea what could be causing this behavior? Is there a setting or context where Splunk treats fields as single-token values by default? Any advice would be appreciated!