I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog]
LINE_BREAKER = ([\r\n...
See more...
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog]
LINE_BREAKER = ([\r\n]+)
category = Application
disabled = false
EXTRACT-emm_syslog = <(?<priority>[\d]+)>\d (?<timestamp>\S+) (?<hostname>\S+) (?<app_name>\S+) (?<proc_id>\S+) (?<msg_id>\S+) \[(?<sd_id>\S+) auditType=\"(?<audit_type>\S+)\" tenantId=\"(?<tenant_id>\S+)\"\] (?<message>.*) This regex matches my test event on regex101.com: <135>1 2024-01-02T14:34:51.429Z TestServer EMM_Console 9176 FULL [emmAudit@18060 auditType="Console" tenantId="EMM"] "Console","2024-01-02T14:34:51.429+00:00","username","127.0.0.1","","CCON0030","Admin Login",,"Info","SUCCESS","0",,"Admin User Login Success (HTTPS)" Within the Search app, however, none of these capture groups are extracted. Am I doing something obviously wrong here, or how should I proceed with troubleshooting ?